OSINT Pt.4: Following a Scam Trail
From Email Headers to Domain Ties
Every scam leaves footprints—email headers, domain registrations, reused infrastructure. OSINT can follow these threads to reveal the bigger picture. In this monster guide, we’ll dissect scams step by step and show how investigators and the public can expose entire networks from a single email.
Scams may look like isolated emails, but they are connected webs of domains, infrastructure, and personas. OSINT is the flashlight that reveals the whole network.
Why Follow the Scam Trail?
Every scam message is a starting point. Attackers reuse domains, hosting, SSL certificates, registrar accounts, and sometimes even email addresses. By pulling on one thread, you can unravel dozens of linked operations.
For investigators, this means mapping criminal infrastructure. For the public, it means learning how to spot red flags before falling victim.
Step 1: Start with the Email Header
Email headers contain routing and authentication details.
- From / Return-Path – who claims to send the email.
- Received-From chain – the real servers used.
- SPF/DKIM/DMARC – checks for domain spoofing.
Case Study: A “Microsoft support” scam email claimed to be from @microsoft.com, but the Received line showed it originated from an ISP in Nigeria.
Public Tip: In Gmail, click “Show original” to view headers. Outlook: “View Message Source.”
Step 2: Extract and Analyze Domains
Scam emails almost always contain links.
- Use WHOIS lookups for registration details.
- Identify registrar, creation date, and hosting provider.
- Pivot on nameservers – many scam domains use the same cheap DNS host.
- Pivot on IP addresses – multiple scam domains often share a single IP.
Case Study: Analysts exposed a romance scam network when 30+ domains were tied to the same IP in Eastern Europe.
Step 3: Connect Infrastructure
Beyond domains, scammers leave fingerprints across infrastructure.
- SSL certificates – same certificate used across many phishing sites.
- Google Analytics / AdSense IDs – reused tracking codes.
- Email addresses in WHOIS – often recycled across registrations.
- Favicon hashes – unique website icons can connect multiple sites.
Case Study: A fake “Amazon refund” site shared the same SSL cert and favicon as several fake banking login sites, linking them to one operator.
Step 4: OSINT Tools in Action
- RiskIQ / PassiveTotal – pivot across domains, IPs, WHOIS.
- VirusTotal – see historical resolutions, related files.
- SecurityTrails – deep WHOIS and infrastructure history.
- Shodan / Censys – search for servers, SSL certs.
- urlscan.io – analyze URLs and screenshots.
Step 5: Building the Network Graph
Once pivots are collected, analysts visualize them.
- Tools: Maltego, SpiderFoot HX, i2 Analyst’s Notebook.
- Graph connections: domains ↔ IPs ↔ SSL ↔ emails.
- This often reveals entire scam ecosystems instead of isolated incidents.
Case Study: An investigation into one phishing email uncovered a graph of 200 linked domains, all tied to the same registrar account.
Real-World Impact
- Law enforcement: Build cases against organized crime.
- Banks: Detect coordinated phishing targeting their customers.
- Journalists: Map global scam operations for exposés.
- Public: Recognize scam patterns (typosquatted domains, reused hosting).
Protecting Yourself
- Check senders carefully – don’t trust the display name.
- Hover over links before clicking.
- Look up domains – age and registrar are big clues.
- Report scams to providers and security groups.
- Don’t engage scammers – they thrive on interaction.
Key Takeaway
A scam email is never just one message—it’s a thread leading to infrastructure, domains, and operators behind entire networks. OSINT makes it possible to expose and disrupt them.
For the public: learn to spot the clues.
For analysts: map the trail to illuminate the bigger picture.
Up Next:
OSINT Pt.5: What Strangers Can Learn About You in 5 Minutes
