Dark Ops Undercovered: Episode III – Hello Mr. Andersan

26 April 2021

– The fake Solicitor hired to remove articles from investigative media

On November 23 2020, Qurium received an e-mail from “Johan Andersan” requesting us to remove a three year old article by the Angolan investigative news team “Maka Angola”, run by the renowned journalist and anti-corruption activist Rafael Marques de Morais.

Mail from “Johan Andersan”.

The e-mail from “Johan Andersan” had some interesting “features”:

  • SENDER HEADERS SPOOFED: The mail was originated from IP addresses 192.175.22{.}229 and 185{.}254.97.192 and routed by a mail servers from mxsvr{.}net. It was not coming from Google servers but from some another mail provider.
  • EMAIL TRACKING: The mail also included an e-mail tracking code used by “Mr. Andersan” to be notified if the recipient opened the e-mail.
  • REUSE OF A TEMPLATE: The content of the e-mail referred to “an Copyright Content” on our hosted website when the article was about a corruption case. 
hxxp://mxsvr.net/TRACKINGID/signature.gif" width="1" height="1" alt="" style="display:none">

Where is the mail sent from?

When looking into the domain that forwarded the email (mxsvr.net), Qurium found a simple webpage of the company MXSvr.NET “Professional Email Solutions”.

When analyzing historical records of the mxsvr{.}net domain name, Qurium found several other domain names related to mail services:

  • whoreadme{.}com
  • readmail{.}us
  • mailimg{.}us

“mxsvr_net” is “whoreadme_com”

The visible face of the email service used by “Mr Andersan”, that allows spoofing of the e-mail sender addresses and tracking the readers of the e-mails, is whoreadme{.}com.

The service is provided by Sei-Kan Kiu, a Malaysian web developer. Unfortunately, his free e-mail service lacks any abuse contact details and it has been used in the past to distribute malware and run campaigns (1) (2) against human rights groups.

Domain Name: MAILIMG.US
Administrative Contact Name: SK Kiu
Administrative Contact Email: 0s65akl1oc{@}gmail.com

Finding 1: Mr. Andersan uses whoread.me to track his victims.

Mr. Andersan answers our mails

We decided to answer the “Solicitor General” Mr. Johan Andersan to his gmail.com and within a few minutes we received a response. Andersan’s response and the e-mail header gave us a new hint.

When dealing with a Swedish organization like Qurium, it is not a great idea to use a Scandinavian surname for AND misspell it (Andersson vs Andersan). Mr. Andersan clearly does not speak any Scandinavian language. So where is this man from? 

From: Johan Andersan <johanandersan{@}gmail.com>
Date: Mon, 23 Nov 2020 18:14:52 +0530

Andersan’s mail revealed that his timezone is UTC +05:30, which corresponds to India or Sri Lanka.

Timezones2008G UTC+530.png

Looking at traffic coming to our servers, we could see that “Mr Andersan” uses several VPN services, such as HMA (Hide my Ass) and Avast to hide his location.

Finding 2: Mr. Andersan works from India.

Mr. Andersan, QNET and DMCA

When searching for “Johan Andersan” we found (2) out that he has been involved in filing several DMCA complains related to critics against Multi-level-marketing (MLM) company QNET in 2017.

Mr. Andersan has also worked in a “reputation campaign” to address critics against Ducatus MLM digital currency with offices in Dubai. We also found that he filed complains to remove content about Blood Diamonds in Angola.

His strategy is to impersonate a Solicitor and demand the content removal due to Copyright issues.

To our knowledge, Mr. Andersan has filed dozens of these type complaints and been harassing newspapers for at least four years.

Finding 3: Mr. Andersan has filed DMCA complaints to Google for articles about QNET and Ducatus Cryptocurrency,

The November Assignment

During November 2020, “Mr Andersan” sent several mails to newspapers with DMCA complains. All newspapers had published articles on how Isabel dos Santos, daughter of Angola’s former President José Eduardo dos Santos, amassed her wealth over the years. The fake Solicitor also sent mails to newspapers covering the “Luanda Leaks“.

During the one week of e-mail exchange with Mr Andersan, when the fake solicitor asked us to take down articles by Maka Angola, we requested documentation to support the requests. In a hilarious twist, “Mr Andersan aka Solicitor General” finally told us that he is an “online reputation representative” of the French Newspaper “Le Monde” and provided us with a Belgian telephone number for us to reach him.

Finding 4: In November 2020, Mr Andersan got the assignment to take down critical articles about Isabel dos Santos.

Mr Andersan and Indophone ASN

When reviewing “Mr Andersan’s” activity in our network we soon realized that he was operating from India. One of the providers he used was Indophone AS134946, who gets its prefixes allocated from a larger provider, AS132116 Ani Network, in 2017.

There are several aspects of Indophone that are interesting.

  • The provider lacks an official webpage. Although the domain indophone{.}in was bought it has never had a webpage.
  • The provider got a /22 prefix suballocated in the name of Parveen Kumar parveenkumar701{@}yahoo.com indonetworks{@}gmail.com
  • “Mr Andersan” uses the network 103.204.189.0/24, first announced by Ani Network and then transferred to Indophone.
  • One of the prefixes 103.204.191.0/24 has been moving across different ASNs after being assigned to Indophone Networks.

Indophone AS134946 uses Skymax Broadband AS132934 as DNS provider and peers with DevelentCorp AS139331.

Clue 5: Andersan used Indophone AS134946 in India for weeks to track if the article was still online.

What is Indophone?

Indophone is an obscure Internet provider. Although it registered the domain indophone{.}in to kick-off their ASN registration with IRINN there has never been a webpage online.

The online presence of Indophone is mostly in Indiamart, a B2B marketplace in India. The webpage of the company claims that the company was registered in 2012 when there is no signs of activity until late 2017. All details of the company seems bogus.


Finding 6: To find the identity of the person behind Johan Andersan we mailed Indophone and each of their peers. Finally, we got an answer from Indophone and although we receive initial responses from “Parveen Kumar” he stopped communicating as soon as we asked for cooperation.

Parveen Kumar, Skype profile image

A new player enters the scene: Exclusive News Network (ENN) and Sharon Carter

One week after the initial request from Mr Andersan, the story takes a new twist. Qurium receives a new DMCA take down notice for Maka Angola, this time from Sharon Carter, representing the legal team of ENN Media Pvt. The DMCA request from ENN refers to article about Isabel dos Santos, published by Maka Angola in 2017.

Mail from Sharon Carter, ENN.

The fake ENN website, has created a clone of Maka Angola’s article and backdated it to 2017 to claim copyright violation.

What Sharon and her team forgot, was to backdate the images the article included. They happened to be uploaded in November 2020. Whoops.

The fake (cloned and back-dated) articles is available at: hxxps://exclusivenewsnetwork.com/2017/02/28/africas-richest-woman-set-to-face-charges-in-angola-over-embezzlement/

Fake (cloned and back-dated) article by ENN.

The original article, named Dams for the damned, was published by Maka Angola in April 2017.

The ENN Plot

During the past years, the ENN website has been used to forge different media campaigns. The trick is simple, they clone and backdate the content they want to be removed and then file a DMCA Copyright complaint claiming to be the original authors of the articles.

The images below show an example of a cloned article with the original source at: hxxps://www.timesofassam.com/international/ex-colonel-and-wife-of-da-of-bangladeshi-pm/

Cloned article by ENN.
Original article.

In WordPress, all uploaded images are stored in a folder called “uploads”. All images as classified based on the date they are uploaded (year). On the ENN’s website, we can clearly see that images related to articles from 1999-2020 have been uploaded in 2019 and 2020.

Timestamps of the folders, shows how pictures are uploaded backdated

Finding 7: Fake websites are used to clone the unwanted articles to file DMCA complains (e.g. exclusivenewsnetwork{.}com).

Stan Russell joins the team

When we thought that Johan Andersan and Sharon Carter had given up, a character called “Stan Russell” showed up and sent a mail directly to Maka Angola.

Stan used the same plot as Sharon, just changing ENN for another fake news site called “Global News Scoop”.

Stan claimed that Maka Angola has violated the copyright of his client, and refereed to the (fake and backdated) article at: https://globalnewsscoop.blogspot.com to clone and backdate the article.

Stan Russell
Address: 3287 Middleville Road
Los Angeles,California,90017 Phone: 626-423-9040
Email:  legal.stanrussell@gmail.com
Subject: DMCA Takedown Notice

To our surprise, this website was also used in the past to try to remove content related to Diamond Slavery from the Indybay website.

Conclusions

  • Three fake lawyers (Johan Andersan, Sharon Carter and Stan Russell) mail us from Indophone networks in India claiming copyright ownership from articles of Maka Angola related to Isabel dos Santos.
  • The online service “whoreadme” is used to track the emails.
  • Two online media (globalnewsscoop.blogspot.com and hxxps://exclusivenewsnetwork.com) are used to clone and backdate articles of Maka Angola and then file DMCA complaints.