As part of our ongoing series tied to Cybersecurity Awareness month, we thought we might highlight a recent case in which our client, a large medical device company, discovered an imposter website had been set up to sell knock-off products using a similar name and branding. Our client rightfully expressed concern that the site could not only hurt their reputation and their bottom line, but could bring harm to those who fell prey to the scam given the nature of the products being sold. Our client sought to learn who was behind the website.

Given that many websites are registered to proxies, determining who is behind a particular one can pose challenges and demands a multifaceted approach, including the requisite review of the site’s domain registration information, checking the site itself for contact information and/or terms and conditions that identify the site’s operator, and inspecting the website’s underlying HTML code for any clues, such as a Google analytics unique identifier. Running the site through archival tools, such as The Wayback Machine, can also shed light on different iterations of the site and information that may have been previously removed or obfuscated. 

In the case for our client, our investigative path took a few different turns.

The Identifiers

At first glance, the website offered little for us to go on. Its “About” page contained images of supposed team members; however, a quick reverse Google Image search revealed the photos had been used on dozens of other websites, with the individuals shown having different names and working in entirely different industries.

Importantly, the site did contain a phone number and a generic email address (we’ll call it “devices@gmail.com”), so we started our probing there. We identified multiple public conversations in Google Groups—essentially message boards usually centered around a theme or topic—containing posts that referenced these identifiers, all of which pertained to the sale of medical instruments and devices manufactured and sold by our client. In a span of about five years, “devices@gmail.com” had posted multiple times in several Google Groups, always advertising “good deals” and “sample packs” to “built [sic] trust.” These posts would also include other phone numbers and email addresses where the seller could be reached for these “good deals,” as well as a few seemingly fake names for the seller (we’ll call it “Joe Spot” who could be reached at joespot@gmail.com).

As we continued to review these conversations, one post caught our eye. A few years prior, a user posted a warning to readers indicating there was a man (we’ll call him “John Doctor”) who had been advertising medical devices using a host of pseudonyms, including “Joe Spot.” Because the pseudonym “Joe Spot” had been referenced in posts by devices@gmail.com, the email address shown on the initial scam website, we believed John Doctor to be the man we were looking for.

Investigating John Doctor

Upon digging further into John Doctor online, we quickly learned he appeared to be based in a small African country and had set up multiple social media accounts under both his name (John Doctor) and a few of his other commonly used pseudonyms (such as “Joe Spot”). Some of these accounts posted photos of what appeared to be packaged medical instruments and other products, and spoke about international shipping services. Another account had posted photos of shipping documents that were partially redacted but were in the primary language spoken in the country where John Doctor was purportedly based.

Further research of the additional email address and phone numbers posted in the Google Groups conversations by “devices@gmail.com” identified other fake websites and posts peddling medical devices at low prices. In short, it was increasingly clear that John Doctor had deep experience selling medical products online and shipping them internationally, making it more and more likely he was, at least in part, responsible for the scam website attempting to defraud our client. We detailed our investigative work and findings in a report for our client, who worked to determine next steps in getting the website removed in partnership with counsel.

In recent years, we have seen a substantial increase in cases relating to cyberstalking, cyber threats, IP theft and other issues aided by the relative anonymity of the internet. Given the rapid adoption (and lack of corresponding regulation) of artificial intelligence (AI) throughout individuals’ personal and professional lives, determining what is real and what is fake—and who exactly is behind a scam, a threat or other problematic content online—will become ever more important.