← All talks

Finding Ghost Jobs and Ghost Companies using OSINT

BSides Charm 202646:0030 viewsPublished 2026-06Watch on YouTube ↗
Speakers
Tags
TopicOSINT
StyleTalk
About this talk
A cyber threat analyst walks through OSINT techniques for vetting suspicious job postings and the companies behind them. Using a case study of a shell company offering absurd salaries under fake identities, the talk demonstrates pivoting through people-search sites, corporate registries like OpenCorporates, and registered-agent trails to uncover fraud. Practical guidance for job seekers on spotting ghost jobs, phantom employers, and protecting personal information during a search.
Show original YouTube description
Ghost jobs run amok. This presentation will go into a series of methods that can be used to research companies looking for qualified applicants to make sure you aren't sharing your professional information with no hope for success. Included in this short talk will be a case study where one specific company was seemingly hiring, but basic research revealed a mystery. It was a company with no customers, no reputation, but was offering roles at ludicrous salaries, all hidden behind shell companies, fake offices, and fake identities. This talk will discuss tips on how to spot companies like this and the lengths it can take to reveal the truth just by knowing where to look. Patrick Wheltle Hello! I am a cyber threat analyst who has been working in cybersecurity since 2016. While I do cyber analysis for a living, I picked up fun OSINT and data analysis projects as a hobby.
Show transcript [en]

Hello everybody. How y'all doing? Uh, so if you're here for GPU forensics, my sincerest apologies. I am filling in at the last minute. Um, but I am doing something that's pretty cool here. So, I like to think that this is a pretty fun talk. Uh, so before we go ahead and start, hello, my name is Patrick Wed. I am born a cyber security analyst born here in Baltimore, Maryland. Go Ravens. Go. Uh, again, I was on the schedule until about 10 minutes ago. Uh, so if you're here for GPO forensics, you're in the wrong place, but it's not like there's another place for it. Uh, so we're going to talk about uh ghost jobs and ghost companies. I'm going to try to

embrace my inner Tyler Huntley here. So, Pro Bowl, let's go. Is there a lot of overlap between like cyber nerds and sports nerds? I feel like there should be. All right. So, hello. Welcome to Ghost Jobs and Ghost Companies peering beyond the veil using OSENT. So, for my background again, I've been a cyber security analyst for the last nine years, and this is my first time speaking at a bides event. Uh, I had a chance to do a shorter version of this talk at Wild West Hackingfest this past year. Uh, and I'm grateful to get a chance to expand on it further. Um, I've got my like the normal, let's get the next slide going. I got like the normal

suite of cyber security certifications, but currently my favorite right now is the practical OSENT research professional. Not because it's particularly prestigious or difficult to get or anything like that. I just really like the acronym Patrick Wed PORP. I just think there's like there's an elegance to it and I really like it. So, um, also I work at Nevermore Haunt in Baltimore, which is just like an old town mall just south of here. So I feel like I've got like the intel side and I got the spooky side to really capture this talk. So but let's go ahead and get some definitions first before we get started. So in this context, what is a ghost job? A ghost job is a posting on a

board like Indeed or LinkedIn that the company really doesn't have any intention of filling it all. Uh they could be collecting resumes for to get like a feel for the job market. Uh they could be trying to just give the illusion of growth to investors or they have an internal candidate in mind and they just want to post something externally for regulatory reasons. Um, but the most important part is that they suck and everybody hates them. Um, but before we get into too far into the talk, a lot of ghost jobs truly if it is just like an internal hire that they have no intention of filling that they put an external thing out there, aside

from reading minds, there's not much you can do about that. Um, there can be hints like really low or really high salaries for the like experience requirements. But if they truly have no intention of filling that role, there's nothing really you can do on the outside. But there are some things in this talk that I think can help you if they're trying to just kind of fraudulently do anything. So in this context, what is a ghost company? A ghost company in this context means something that doesn't really exist outside of a paper trail or at least they aren't who they say they are. Uh this kind of became a hobby of mine to look for these. Um, and I end up finding

a bunch of unheard companies that when I was digging around, most of them being around here were just a little less than truthful about the government contracts they were on. I'm sure that that is a familiar feeling for everybody in this room if you are local. Um, so they might be hiring for a company, a contract that wasn't awarded yet, or they got the contract, but they don't have any employees, so they'd be held to work for because right now it's just one guy with an LLC. Uh, and yeah, digging into this kind of became a hobby of mine because, you know, why not? So, what is OSENT? For those of you unfamiliar, open source? OSENT stands for open source

intelligence, which is an all-encompassing term for information and connections that you can gather using public data sets. That can be state records, social media, technical information like DNS or who is, uh, or just some clever Googling. Uh, the most important part for something to count as OSENT, it needs to be publicly available. uh without any social engineering or illegitimate access. Uh so for example for ghosts uh gravestone rubbings or going around a cemetery and looking at the the headstones that's osent that is available to anybody who happens to be walking by. Um what is not osent would be a seance. So that is gathering information that is not readily available to anybody else. And when I came up with this sort of like

analogy, I was trying to figure out it's like ghoul int, ghost int, like what's the what's the int for what's the intelligence category for speaking with the dead? Um, there are some tricks where the line gets a little bit blurry, but in general, if it's open publicly, it's OSENT. If it's not, it's not. So, it's not a proper tech talk without some crappy meme here. So, we'll go ahead and uh So, what is OSEN? Uh, what my friends think I do, the Pepe Sylvia yarn. Uh, what my mom thinks I do is robbing people. What I I like to think I'm Q from like James Bond and all that stuff. And other people think I'm a Facebook

stalker, but what I really do is capt. Lots and lots of captions. And why do I do captions? Because we need to talk about operational security before we go anywhere. So, we need to talk about OBSSE. So the fun thing about OSENT is that investigations there's literally nothing stopping you from starting an investigation literally right now on your phone. Um like right the this talk I know means is supposed to be like an like an extensive method of like what you should or should not do. Um so I want to give it a bit of disclaimer before we go any further. So opsec stands for operational security. It's the steps that you need can take to

conceal yourself or your activities when you're gathering information when accessing a public data set especially one that is online. you by definition are accessing somebody else's computer. Uh that means everything that you do is seen by the web master, advertisers, your ISP, social media platform. Uh for example, if you're going to a company's website, uh in theory, your IP address and user agent string and all that other stuff is going to be able to show up in their logs. And now whether anyone actually reads those logs is still up in the air, but it's something you need to consider. There are different technologies that you can use to help conceal yourself online. The simplest is

a VPN or a VPS. Um these aren't foolproof because again like a VPN provider is going to have some understanding of where you're going. And uh I personally for like some of my investigations I rent out a VPS. Um but I understand my risk with that. If I access a website the person who's seeing what I'm accessing from will only see the cloud provider that I rent out. However, the provider I go with has pretty strict know your customer rules. So they have my real name and my like credit card and all that good stuff. So, if I were to do something illegal and somebody were to get a warrant, uh, they would be able to go to the cloud

provider and find me. Now, that's not my use case, so I'm not too hung up about it, but I understand what the risk is and I understand where my exposure is. Um, so puppets, sock puppets are fake social media accounts that aren't tied to you personally at all. Uh, these have varying different difficulties to set up. Sometimes it's just a fake email and or temporary email at that. Um, but sometimes you need to get like a Mint Mobile phone number to set up one so you don't have it associated with your real phone number. That's like a, you know, a oneweek free trial. It costs like $2 and then you set up your accounts then you

forget about it. Um, so also my uh my go-to for setting up sock puppets. I'm a musician as a hobbyist as well. So I like to set up fake band projects where it's like this is going to be the new alt grind core, you know, dubstep AI music phenomenon. Stay tuned. Big things coming. Um, and then I realized that nobody looks at your profiles if you pretend you really, really, really want them to. So, I kind of blend in with the half-finished music project on the web. So, I, you know, I think that's nice. Um, you can also use a VM, public Wi-Fi, or there's any other steps you want to take. It's really up to you to determine

what your appropriate level of security is for whatever you're doing. Uh, it's just like looking at a job posting and wanting to see if they're a real company or not. Like, whatever. Just Google it or LinkedIn. That's totally fine. But if you're going to go into deeper rabbit holes, you know, understand what you're getting yourself into and take some steps to take some steps to protect yourself. So, why am I doing this? Um, so, well, there's a couple big reasons. First, uh, I'm hoping that you guys can walk away with some tips on how to spot some of these companies and what you can do to be like maybe take a step further and see if whoever you're looking at is

is real or not. Um, for those of you who are hiring, maybe you can take some uh take something away from this talk by if you realize that you kind of look sketchy yourself, be less sketchy and maybe pivot a little bit. Um, and I also wanted to share this is not a theoretical threat here. Uh, PaloAlto's unit 42 research group has outed they named a group called contagious interview which is North Korean hackers who set up a fake job interview and have you do a coding challenge and that coding challenge happens to be malware. So this is something that they are targeting people who are, you know, this is a tight job market. A lot of people

are desperate. So it's like you should be aware that there are people who are looking to steal your money and infect you with malware. Uh not everybody, not trying to get like FUD or anything like that, but it's something to be aware of. Also, these skill sets can be used if you are a white hat researcher. Um if you stumble upon a data set of victim information, the same tips you can use to find fake companies, you can then use those to find the real companies and let them know like, hey, something happened here. Um and lastly, uh this is very fun. I really enjoy myself when I do this. Uh and again, this presentation

itself won't make you an expert. Um hell, me giving this presentation doesn't necessarily make the me an expert because like there is just so much to learn. So the barrier to entry to this stuff like this is low. So if you have good note-taking skills and you're nosy, give it a shot. So case study, why why am I here? What happened? And all that good stuff. So I am going to be referencing a case study that started this all for me. Um this particular case kind of became an obsession of mine to an unhealthy level and uh I found a role for an OSENT investigator that caught my eye because the salary was pretty high for the

experience requirements. So and I'd never heard of the company before. So I went checked it out see what it was. So, by the way, everything that you hear in this presentation is true as I saw it, but I am changing the proper nouns. So, this it's going to be using spooky standins for the companies and the names. Yeah, it's all public data sets, but uh if something is wrong, which that's a very real possibility, I don't want to get sued or anything like that. Um, and the point of this is so that you can learn the techniques, not necessarily for me to like stunt hack and say, "Oh, look at this cool thing I found." Um, so yeah, this is true. All

this is true, just the names are different. So, Spooky Security LLC, there is the job posting that I saw originally. Uh, it seemed like a normal small tech startup company, but there was one detail that kind of set off alarm bells for me. I looked at the other job openings and the positions that they had were starting salary of half a million, which is pretty good. If you can get it, and it maxed out at $760,000, which I'm cool with. That would be very nice. However, in the job description, they were looking for people with already deep established connections with the defense sector. Uh um and so uh I just my my shift my thought just kind of shifted from like

some no-name startup to maybe something a smidge more malicious. So I did an initial blitz to see if I could uh like this is something I wanted to dig into. And that quick investigation revealed that this company was very weird to put it plainly. Uh the there were so many little things that were incredibly strange. Um and just I just kept digging and I kept finding more stuff. But we're going to go ahead and start with where I started this investigation, which is domain research. Every company is going to have a domain that you guys can look at. Um, and a lot of the domains are going to have like some pretty basic information that you should be able to

find anywhere. Uh, seuitees, addresses, contacts, email addresses, general industry, all that stuff. So, um, seuite members, these names are easy to check on LinkedIn uh, and other news sites where you can get a feel if this is a real person or not. However, just because a person is real does not necessarily mean that they are in any way involved with the company at all. Um, there was one crypto company that I was looking into. It's not the not Spooky Security, but a different one. Uh, and it had a page for leadership team and the guys, they were all on a team together. And then I realized that uh this wasn't the CEO of this company

at all. It was a car company that they literally cloned the entire website, control Fed the company name, and replaced it with their own. And except for like even the favicon was the old company's website. So except for the front splash page, everything else was exactly identical. Um, so yeah, just because like they're there doesn't necessarily mean they are involved at all. Uh, addresses. A lot of times these sketchy sites will use the same templates and a lot of times those addresses won't even be real. If you're bored, literally just go look up 123 Tech Street and you will see hundreds of companies that happen to be at 123 Tech Street, Innovation California, Pakistan. like

um yeah, you can throw the Google you can throw the addresses into Google Maps and figure out where they're supposed to be located. Uh small tech company have like operating out of a residential home or like a PO box or a small office park is not actually anything to be like too worried about. Um but if you find yourself in like a vacant lot in De Moine, Iowa uh or like the middle of a road in New Mexico, maybe consider that. So contact us. The website will have a contact us page. Um, and there are services out there to check to see if that email address actually goes somewhere, you can check to see if it'll

actually just bounce back as undeliverable. So, if also if the company is supposed to be like, we're a Fortune 500, we've made a billion dollars last year and their contact us is hotmail.com, probably not. Um, so yeah, and customers, all these sites almost always have like customer feedback, but you can just like grab a random string in the middle of the testimonial, control F, Google it with quotes around it, and if it shows up in half a dozen other companies, yeah, that's these are all just from the same template. And yeah, industry, you want to get an idea of what industry they're in, uh, and search to see if anyone else has ever heard of them before. Um there

are a lot bunch of other record types that uh can reveal information such as who is or DNS information which typically don't show a lot but it sometimes can reveal when and if a company was or website was created recently. Uh there's a tool that I use that um I'm not associated with it all. I just really like them, Silent Push. Uh they have a free community edition that's really cool. Uh it has a bunch of historical records for like DNS and stuff like that. And my dad runs a boiler shop in the city and one of his customers got hacked and then his domain got typo squatted. So it was supposed to be an M and it was coming back as an RN

and then sent like a oh actually we have a new invoice here. Can you send it to this bank account and said classic business email compromise. Um and on silent push in about two seconds I was able to put that domain in saw that it was six days old and it went straight to the provider. It even gave the like abuse email to send so that we can get a hold of them. Um, so that was like really helpful and it's free, so I recommend it if you are looking into domain information like that. Um, there's also a site called backlinks watch. Uh, backlinks let you show where a website has been linked elsewhere in

the web. Um, so the more legit more people are discussing it. Uh, more unleit. It's just going to kind of be in those SEO page rank websites. Uh, so yeah, in general, look up the address, look up the context, see where it goes in Google Maps. Oh, and uh look and see if the website is if the text is AI generated. There's detectors out there. They're not 100% accurate, but a lot of real companies use AI to write their company website. So, it's not like a guarantee that they're but 100% of fake companies use AI to make their own website. So, what did I find when I was doing my initial deep dive into spooky

security? So, we're going to do a lightning round because this was a lot. Um, let's begin. We had stock tickers that don't exist, cryptocurrencies that don't exist, software that doesn't exist, no user guides, manuals, or Stack Overflow posts or anything like that. Basically, no chatter about these guys at all. Uh, there was, yeah, the backlinks led to nowhere. It was, just random SEO websites. Uh, there was a link to the company Instagram account that was set to private, had zero posts, and 140,000 followers. That's not real. This is not a real thing. Um, yeah, there's no way we can do it without botting, especially with no chatter about them at all. Uh, there was a link to a job posting that

led to an authentication page which asked for a PIN, but if you just stood there and did nothing for 3 seconds, it let you in anyway, which is rad. Uh, behind it was a PDF with nothing but like their marketing strategy, but it was covered in government portion marks, but those portion marks didn't actually associate at all with the data written there, and they were just kind of nonsense. Um, the address of the company led to a skyscraper where you can rent virtual office space in Wilmington, Delaware, which lets you incorporate in Delaware without actually being in Delaware for $99 a month. Uh, when I found this, I was deep in my obsession about these guys at this point. And it's

right, it's like an hour away from here. Um, so my wife and I got lunch. I went to the building and I took a selfie in front of it. Um, and it was a Sunday, so the front door was locked, but I when I pulled it, the security guy buzzed me in, and uh, he let me flip through the directory, I was basically like, "Yeah, I think these guys might not be real. Have you ever heard of them?" He had never heard of them at all. So, uh, that was fun. So, another really fun thing about the initial sort of deep dive into these guys was I found their deleted attempt to make a Wikipedia page about

themselves. um where the mods of Wikipedia were asking the same questions I was which was who the hell are you guys because yeah you can't just like set up a Wikipedia page about yourself unless you were like actually notable of some kind. Um so because it's Wikipedia though the logs for the mod chats are all public. So I was actually able to read the back and forth between whoever was trying to create the website and the Wikipedia mods. That's all deleted now. Uh and the username of the person who tried to create it unfortunately was a dead end. I I tried to see if I could follow that. But on the deleted Wikipedia page, I found three names that

were apparently the seauite members of this company. So again, we're going to use fake names here, but uh this is what we got. We're going to go with more ghosts. So we have the CEO of the company, Gengar. Uh the chief legal officer, oh come on, Booberry. and the chief commercial officer. Oh, come on. Bloody Mary. All right, so that's those are the three names that were associated with the Wikipedia. Um, so let's talk about people search. So people search, uh, there are quite a few sites available for if you had a specific name or address to search. Um, these can be a bit difficult to parse if you're looking for someone named Maria, Muhammad, or John. Um, however, these

sites let you filter down by state, phone number, age, which can help result like narrow those results. Uh, my personal favorite is the cyber background check. It's just what's given me the best results. Um, now these aren't entirely reliable. A lot of these data scrapers get things mixed up. And one of my personal projects when I was like starting to get into this was building a dossier on myself and seeing what kind of info was about me on the web. And there were quite a few things like there were some addresses, some phone numbers, and emails that were all mixed up between me, relatives, and complete strangers. And it's easy to spot when something's wrong when it's

about yourself, but it's nearly impossible when it's someone you don't know. So, you could keep it as something as like as evidence, keep it as potential information, put it in your notes, but don't treat it as gospel. Um, that said, Mr. Barry had a very unique name and uh something I'd never heard before. So, it was pretty easy to conclude that yeah, this guy, he wasn't real. Like, there was nothing about him. Uh I could not find a single person in the entire country that matched that name. And the only information that I could find that was associated with that name tied right back to Spooky Security. So, like that run actually wrapped up pretty quickly. That was that was pretty

easy. Thank you, Booberry. Um one down, two to go. So, we got two more of these guys to go through. Let's talk about corporate records. You know, very exciting stuff. Uh, when it comes to looking for corporate records, uh, there are a few sites that are available. One of my favorite is the, uh, is open corporates.com, which is a public data set of basic corporate records. Um, there are two main things that can help you when you start your search. Uh, you can either search by the company name or the name of the officers in that company. So this is useful for a few reasons. Uh one, you can pivot from company names to see if that company is

solo or if they are a branch from another company in a different state. Uh you can also see if the people running this company have other reg other companies registered in their names which could reveal additional avenues to investigate if they have some reputation if they're like a serial startup guy or something like that. Now the individual pages have a few things that would be useful to us. uh it'll have your basic information names officers addresses and you can compare that to the information that you've already gathered from your search so far. And again, pop the address into Google Maps and see where it goes. Uh, another thing that's really helpful is the registered agent.

This is supposed to be the person who accepts all the legal paperwork for the company. Now, a lot of those registered agents tend to be LLC's themselves. So, the registered agents also have their own registered agents, which is a whole trail that you have to follow. Um, but we'll get back to that pin. We're going to put a pin in that for right now. It'll also tell you what state it's registered in. And it should have a link to the state website that you can actually pull up like the in theory the articles of incorporation. U, and it's going to have some good information for whatever you're looking at. But as with everything, your mileage may vary. And

there are other websites that catalog this information, but Open Corporates is my favorite. So, uh, it's my go-to. That said, Bloody Mary here. This was a trip. I love this. I put Spooky Securities into opencorporates.com and yes, we saw Gengar and Mary there, but when I Googled Bloody Mary's name, there was a lot of talk about her because if you look for her on open corporates, uh, she comes back with 72,000 companies in her name. That is very, very weird. Uh, and folks didn't have a clue who she was truly. Like there was like people speculating that this is some sort of like I am Spartacus situation where you like show up to the bank and you're like

who are you? Like Bloody Mary and they're like yeah sure buddy like here you go here's your LLC. Um and by the way I did actually follow up because after doing this talk in at Wild West uh she only has 68,000 companies now. So you know things have changed. Um, but there were actual legal proceedings that had her name listed in there and the legal proceedings said we don't know if this is a real person or not. Uh, so like a real ghost CCO. So a lot of things like this when it comes to like OSET in general, some of these things don't get dug up just because other people assumed someone else has looked. So, I started looking

and again, I stayed up way too late on a week night uh digging as deep as I could on multiple week nights. Uh digging up deep as I could, showing up to work exhausted and obsessed. Um I started with Spooky Security on Open Corporates and then that was registered by an LLC that reg that was registered by an LLC was a branch into another state which was registered by another LLC, but that LLC didn't have anything that was at the very top. So, I searched for those guys and found at the very top layer a company that makes companies for $200. They'll do all the paperwork for you and then they just need to have a person to

sign the documents and uh that company was headquartered in Texas and that means uh it narrows down where I have to do a real estate search. Texas files where you can look up like real estate records. And so I popped I looked up Bloody Mary's name and there was one person and I popped that address in. I put the address of the company. 20 minute drive. In all likelihood we got him. Uh so uh so I did a little digging into social media here. Um, and yeah, like she's a real person and I'm not going to get too in the weeds of like what we did for that just because like you know she's kind of just a lady with a job and that

job is literally setting up LLC's. Like if you looked at most of the records they are like nail salons, you know, yoga studios, car mechanics, stuff like that where it's just someone who wants to do something but they don't necessarily do the paperwork for setting up a company. So, like she seems nice and she's just kind of like the lightning rod, the person who has to sign off as the organizer of that. And so, that's why she's all there. Uh, but most importantly for me, she has nothing to do with spooky security. Why is she listed as a seuite member? I have no idea. She has not I was freaking out. This is I was not okay, guys. Uh, so

yeah, two down, two to go. Um, so I was mentioning social media earlier, and we're going to go ahead and dig into that a little bit. Um, so social media is a treasure trove of stuff like this. There is no shortage of information you can get from Tik Tok, Instagram, Facebook, Reddit or whatever else. Uh, there's also a whole extra conversation we can have about the less than public information in Telegram and Discord servers. Uh, but to this topic, we're going to be focusing on LinkedIn. Now, in my experience, LinkedIn is a bit of a mess when it comes to doing OSENT because their whole business model is they want you to buy LinkedIn premium.

Uh, so your searches can only go so far without it. Um, and also, uh, you know, the, uh, excuse me. Um, where was I? Uh, yeah. And if the if the person you're looking at has LinkedIn Premium, uh, they can see if you're looking at their profile. And for the most part, it doesn't really matter, but if they are some sort of scammer and or some narrwell, this could be a problem. Also, for the most part, you have to be logged in to see anything. And I don't know if anyone else has this problem, but I keep getting my LinkedIn sock puppets banned. Um, I don't know if I'm been particularly unlucky, but it's been

harsh on me and asks me to upload a government ID. And uh, I just don't want to be that guy trying to get a fake ID from like the other like teenagers who are just trying to buy booze. And it's like, what are you doing here, man? In my mid-30s being like, I'm just trying to get a LinkedIn account, you know? Like, no, that's that's really lame. I don't want to do it. Um, but even with its difficulties, LinkedIn is still a valuable resource. And again, if you're just doing a quick search, um, you can just see if the post is that you found ondeed is legit or not. Um, and it should be your first place to search if

you're just doing a real quick deep dive. Um, if you pivot by individual or by company page, uh, all that can all help you determine whether where you should look next. And always note, check for AI posts. So Gengar here, Gengar was listed as the founder of the company and at first he was a bit difficult to track down but eventually I was able to find a copyright registered to his name which included an email address and that email address had a personalized domain which was huge for me. I I found out that that domain resolved to some charity website for like getting the Gengar Foundation which was like getting tech to kids in Africa or something like that but it

doesn't matter because it wasn't real like it wasn't a real charity. Uh the website itself was pretty much non-functional, but it was the missing link I needed to do to find this person's LinkedIn because uh when I was doing the original search, I couldn't find it because it was just first initial last name. Uh since I did this investigation, that guy's LinkedIn has been completely wiped and the charity website now leads to a deleted YouTube link. It's weird. Um so, but yeah, like on their LinkedIn, I was able to see they're like some sort of serial startup guy. Most of them seem to be nonprofits focused on tech or kids or something, but all the domains either

404 under construction or just weren't functional. I was able to match some of these orgs on open corporates were also tied to his name. So they were real in the sense that they were in good standing and registered with the safe, but they they weren't real in the sense that they did anything. So like like So who was this guy? I was I was freaking out. Um, of the 10 companies on this page, one of them was not like the others. It was like this esports league. Um, but I Googled that and I found that at least that existed that that had an online presence and that was like there was a community with a Discord and all

sorts of thing. And it was the most concrete thing that I had landed on in this entire investigation. So, oh yeah, Gengar Gaming. I stole that from some guy's YouTube profile. Sorry. Um, so this led me, this is kind of a thing kind of blew it wide open. I found a fake New York Times article hosted on an AWS bucket that was connected to one of Gengar's other fake companies. And it was about a 15-year-old who started a million-dollar company in his bedroom. It was esports tech and DeFi, which was like the esports league, apparently. And who was this 15-year-old? None other than Gengar. So there were actually there were actually two separate copies of the article that was being hosted. So

I was able to download them. I did some metadata analysis which revealed that the PDFs actually predated the formation of spooky security by about 2 years. So there was some serious time put into this. Um and when I mentioned this at Wild West uh I actually got the questions like oh have you done version metadata analysis? And I said I don't know what that is. Um so no I didn't. Uh, it turns out PDFs, I'm just going to share this with you guys because I didn't know PDFs save history in there. So, you can actually revert to older versions of that PDF because it's all saved in there that they don't get rid of the changes. So, I

didn't know that. Maybe that'll help you with something. So, but that means that this guy was 15 years old in 2020. So Gengar here, if he was 15 in 2020, that would put him at 21 today. Narrowing that down, I was able to specifically search for colleges. And uh yeah, in all likelihood, the guy at the top of this company that I had been obsessing with over for weeks was in all likelihood an undergrad. So yeah, everywhere um three up, three down. Uh and uh the very important thing is that one of the most important things when it comes to OEN investigations, it's not necessarily where to start. There's no shortage of places to start, it's when to stop. So I

kind of, you know, I kind of set my flag in there and uh called it a day. Or at least that's what I thought I did. Twist of the century. Let's go, guys. So, what is the actual purpose of this company here? All right. So, I thought I I I didn't know and uh I still don't know, but I have a better idea of it than I did the last time I talked about this. We had an insider. All right. Um, so one thing I hadn't mentioned when I was talking about the LinkedIn research was that aside from the CEO, I had found only one other person uh who listed themselves as an employee of this company. And they

even had the job role that I was talking about at the very beginning that apparently paid half million dollars. So which like good for them, right? But they still had the filter of hash open to work on their profile picture, which like listen, I don't know about you, but if I'm making half a million dollars, you're dragging me out of there. Like even if I hated that job, I'm quiet quitting until you fire me. And then I say, "How many hours did I build?" All right, cool. Um, so like that was that that didn't line up. Um, but there wasn't really much to go off of with that guy. So, like I kind of just like

took a couple screenshots, jotted it down in my notes and then moved on. A few months later though, I found out that the guy got a new job and this job seemed legit and he seemed to be happier there and he seemed nice and the curiosity got the best of me. So, I buckled down. I got the free trial of LinkedIn Premium and I reached out to him. This is decidedly no longer oent by the way. uh this person person was still a perfect stranger and and when I reached out I was completely honest. I was just like hey dude um my name is Pat and I have been obsessed with your old employer. Is there any possibility I

could ask you a few questions? And uh yeah luckily it turns out he had questions of his own that needed answering as well. So he was just as confused as I was. So we set up a a Zoom call and uh started chatting. So, uh, over that hour I I go over the stuff that I had discovered and then he told me what it was like on the inside of the company. Um, it turns out like he was helping a sick family member for a while. So, he had like a gap in his resume. So, he was taking whatever he could get. Um, and Spooky Security brought him on board. Now, in theory, Spooky Security is supposed to be making

like like security software for like first responders or something like that. And this guy had like Feder experience. He's like, "Yeah, dude. Like, just let me let me see it. I can like totally like let's get this on board and we'll get this we'll get the process going. And meanwhile they're all organizing entirely on signal and saying like no no no that's fine. Can we just get your emails? >> Can we just get your contacts? Hey, what's the phone number of the person who's like the most like high level? Can we just get their email? Can we Hey, can we just get their email? That's totally fine. Um and uh and yeah, he never saw

any software being made. Uh, and eventually he just got sketched out and moved on. And I asked him about the compensation. He told me he never saw a dime. Uh, but I did get permission to tell him or to tell you guys about the conversation that we had together. So, and that's that really right there kind of shifted it from because I thought originally it's like this is some kid who's watched way too much finance Tik Tok and now it is uh oh wait that might actually be a a touch more malicious. Now, that really is the end of the story when it comes to this because before this talk, I went and checked and I

tried to see what was still left and a lot of the websites I were looking at had been deleted or wiped and all the job postings have been taken down and I don't think I'll at this point find out what really happened there. And at this point, it's probably better that way. So, all right. So, where does that leave us? So, I'm going to leave this up right here. Uh this is like the list of tools that I used for this particular investigation. Um we don't have time to go into the details for all of them, but uh we'll go over the main points. One thing that I didn't list here is Obsidian. I use Obsidian for all my

note-taking. It's great. Uh it's free. It's saves to markdown and you can like link it to other stuff. I It's spectacular. It makes it really easy to share. Um but yeah, you can take a picture of this if you want. Uh this is not extensive. There's way more stuff out there. I just what's useful to me. Um, but yeah, vast majority of if you're looking for ghost jobs, open corporates, LinkedIn, and some basic Googling does most of the heavy lifting for you. I still do these deep dives into something I see weird every now and again. Um, if you're bored and like looking at weird job postings for fun because you're cool like I am. Uh, just go on Wellound,

which is like a startup like it's a job board for startups and you go look for roles that are equity only. Um, and really it's like, do you want to work for that guy who's like, I have an idea for an app. Can you do the front end and the back end and the marketing and the security? Can you do that? And I'll just be the ideas guy. If you want to work for a guy like that, there you go. You can have that one for free. Um, I swear to God, if I had half the like self-confidence of like some of these founders, I would be unstoppable. You would not be able to stop me. Uh, yeah.

But um so you don't need to go into dep in depth as I did when it comes to when you should come to a conclusion that you shouldn't apply somewhere. Uh this talk should give you some tools to do your own research. Uh but again, follow your gut. If it looks too good to be true, then it probably is. Uh there are AI agents apparently out there that will apply for a million jobs for you. I'd avoid those if I were you just because you have no idea where your personal information is going and I shouldn't have to tell a room full of cyber security professionals that there are people on the internet who are not who

they pretend to be. Um, best case scenario, you waste your time. Worst case scenario, there are actual malicious actors out there who are looking to do you harm and are willing to take advantage of a tight job market to pray on someone who might be desperate for work. So, keep your head clear, be safe, and be smart. And last piece of advice, um I this is my shot in the dark. If that happened to be your company and you recognized it, uh and you happen to be in the room, uh this is actually anyone else who's hiring for a startup. My advice to you, if your company looks like it could possibly be a malicious intelligence operation,

don't make your company look like it could be a malicious intelligence operation. And that is it for me.

I I suppose we have time for questions if anyone has any >> you not try to find retribution with them. I mean you did all the research but >> well I mean >> revenge whatsoever >> that that that >> glitter bombs >> sending glitter well like the the addresses that they were going to were just like random business parks that they definitely had no actual footprint in. So, I'd be glitter bombing some poor mail clerk. Um, and yeah, like there were there were contacts and like like emails that I could have like, you know, pretended put like a fake resume and all that stuff like that, but again, that leads that goes outside of OSENT and more into like

social engineering and I just didn't really have an interest in that. >> I know. But >> have you? >> Yes. Yes, that is an uh that is another tool available. Wayback machine is for anyone who is interested. Uh is a it holds backups of websites and stuff like that. So if something gets deleted um you can pull something else up. That was a a separate Osent investigation that I uh was somebody was like harassing a friend of mine's Instagram account. Um, and he had this really crappy blog where he was selling a really crappy book, but uh it was basically like you put in your Twitter handle and he cyberh harasses you, but it says it's interactive r

ultimate reality game r a rg. There we go. Um, and the fun thing about the Wayback Machine was it was listed as $10, but if you go into the Wayback Machine to an earlier copy of that website, it was $20 scratched out. $10. So, yeah, that one's fun, too. >> Yeah. >> So, I uh a lot of this ends up being fairly manual. Um, I tried to implement like sort of like AI like scrapers to do some of the work, but by definition uh if you are looking at something like this, there's just not a lot of information out there. So, it's easy for a machine to get sidetracked and then find something that is completely

different. Cuz like the whole point with hallucinations is like if it's an information starved environment, it's just going to try to grab anything. And if I wasn't in an information starved environment, I would already have the answer. So, it's like I I've tried to use stuff like that. Um I do use like scrapers to just grab like an entire HTML page so I don't have to like jot everything down. It's like all right, I'm on that page. Press this button like a I can't remember the extension I have on Firefox, but it's literally just it grabs the HTML straight up. So, it presents exactly as uh as I saw it originally, maybe with like some images

broken. So there are tools like that that help you save the notes, but I haven't really seen anything and you that could just be a skill issue, but uh yeah, when it comes to like automating any of that, it's difficult.

>> That's a fun one. Um, so, uh, if I was a bad actor, the trouble is like the thing about this is that this works. Um, and so it's more of a numbers game. Like it's not necessarily like I can create the perfect fake company that looks legit or I can create a hundred crappy ones and like if it works like it's probably the same amount of effort and it probably has a higher success rate like if 90 of them get outed or wiped or anything like that then who cares, right? So, if I was the adversary, if I was trying to fake this, um, yeah, I would just try to maybe like use like a real person that's not paying

attention and then set it up in their hometown. But, uh, more likely just, you know, quality uh, quantity over quality.

No, again that's so that's getting into social engineering and like outside of the OSENT realm. Um not something that I really want to like get into as far as like interaction and all that stuff, especially if I don't know who they are. Like vast majority of the stuff that I found is just like it's not like malicious and it's not even necessarily like fake, it's just kind of bad. Um like it's just like oh that's just kind of a really weird idea. Um, so yeah. No, I haven't really done anything like that. The most like sort of like outside of OSEN that I got into was reaching out to the guy who used to work

there. >> You find any legit companies and just be like dude like >> Yeah. So Wellfound, if you go to the ones that have not gotten any funding yet, you're going to see some wild stuff. It's just like we're going to start like blockchain for umbrellas. And it's like what? um stuff like that. So, it's just like uh uh if you want to just and then there's another guy at Wild West who like like put me on to another company that was like this guy was really excited about the patents that he got, but like the patents were like, "Hey, uh do you have Ethernet in your office, but you don't have a power plug? You

you can use this Ethernet adapter as your power plug." And it's like I don't think you're ever really going to be in a circumstance where you have one, not the other. Uh but so like that was a real the guy legit had a patent and he legit made the thing. It's just like you know there's only so much you can do with that, >> right? Who knows? Maybe like there's like some spaceship that like uses Ethernet but it's like oh we forgot to put plugs in here. What are we gonna do? I think unless we have any other questions. I think we're actually at time. We have five more minutes. If I can probably take one more if you got

one. Oh,

>> uh, so again, like if you're if this is truly like legitimate company and the hiring manager truly has no intention of filling it, outside looking in, there's not much you can do to spot that other than like having an understanding of like what the job market really looks like and if it's completely off like uh there was like one government contractor that was like TSSCI clearance you need to have 10 years experience we're starting at 60k and it's like ah no that's not how that works um and uh so just something is off like that is probably the best indication that either they're not serious or they just haven't thought it All right. I hope you guys like the

talk. Appreciate it.

[ feedback ]