Disclaimer: This exercise is for educational purposes.

Part of what makes my job particularly fun is my ability to freely dive into the internet to understand why people do what they do. Call it detective work but on a corporate level. What I’m about to describe is what happens when I become slightly fixated on things that I know are inherently bad but don’t care enough to warn others about. In this case, it’s MLMs. MLM stands for multi-level marketing, which in many cases is a legitimate sales strategy, but after some digging, my cousin joined a straight-up pyramid scheme. This leads me to a lesson on recon, or reconnaissance. Remember that term? If not, check out The Cybersecurity Industry: That’s Not the Mainframe.

I was aimlessly perusing Facebook when I stumbled upon my cousin posting something along the lines of, “Hey Boss Babes! Message me for a remote online opportunity that can earn you extra income!” My cousin, let’s call her Amanda, is a stay-at-home mom with a cute little 1.5-year-old attached to her hip. Knowing that money’s a little tight for folks across the board, I assumed she stumbled upon this “opportunity” by word of mouth or by trying to find flexible WFH jobs that allowed her to still be present in her child’s life. To provide more context, the post was long, yet vague enough, with phrases such as, “Build an online business while working as many hours as you want!” and, “Looking for healthcare workers who are looking for side hustles…,” you get the gist. This detail is important, so keep it in the back of your mind.

Frankly, I don’t give a rat’s behind as to why Amanda joined the organization, but I just had to know what the organization was. So that’s what I did. I combed through Amanda’s Facebook profile and found that she had a webpage (a poorly designed one at that, probably from some old HTML template her new “company” provided her), and the webpage described the same hollow message: Reach out to me for more information on how to make money.

I didn’t want to give away my e-mail(s), so I made up a fake one and signed myself up to see how far I could get. The website then redirected to a recorded online workshop full of “testimonials” from others who have signed up. When I received the welcome e-mail, it was even more of the hoorah crap, but I noticed an address at the bottom of the e-mail. It was an address that led straight to a random building in Vancouver, but the other links sent you to YouTubers and articles exposing two men about their MLM scams that encourage users to pay a $149 fee to sign up and gain access to business strategies, “automation tools,” and a network that could help them build a successful business.

This search led to others trying to sell the same dream under their crappy websites, and since each website has been copyrighted under their names, you couldn’t tie any liability back to the original two men who started it all.

By now, there’s enough data I could use to do one of the following: hack my cousin, or hack these two men. I extended my research on the two men and found that they (or at least one) were members of the LGBTQIA+ community, liked to travel, and recently visited a vineyard somewhere up in Canada. Since they’re both accessible via Instagram, e-mail, and LinkedIn, one could potentially send a phishing campaign to them, posing as someone interested in learning about their business or an angry former “colleague” threatening them with legal action if they didn’t sign some unassuming web document.

After hours of digging through profiles and links to these two men’s associates, I realized that a majority of their targets are middle-aged women, and in Amanda’s case, stay-at-home moms (how unoriginal). Remember how I said Amanda’s post targeted healthcare professionals? This is purely speculation, but after paying the $149 fee and taking the “mentoring” phone call, she was probably told that she needed to see who her Facebook network was composed of. Since she’s Filipino and a majority of her family members worked in the healthcare industry, she was convinced she could make some pocket change by getting some of our cousins and cousins’ friends to sign up. Et voilà, your pyramid scheme continues.

This was a simple exercise to show you how much information I gathered by performing recon on three people. For your standard black hat hacker, they could dive much, much deeper into things such as family members, former addresses, former employers, and anything online.

After all this, I don’t feel compelled to tell Amanda that she probably fell for a scam. However, I was reminded that we humans are our own greatest weakness and that people can exploit that vulnerability. Keep a watchful eye folks, or you might just be the target of a brand new sales opportunity.