How to Geolocate Mobile Phones (or not)

Wouldn’t it be cool to geolocate mobile phones? The following article will show you possibilities and limits when it comes to accurately finding the location of a mobile phone.

Last week I published an article explaining how accurate the geolocation of IP addresses is. This time, I had a look a cellular data and how a mobile phone is registered while roaming as well. If you haven’t read last week’s article yet, go have a look before you continue here.

Today I decided to go on a little road trip, because I wanted to show you what kind of data your mobile phone produces while on the move. So, I’m inviting you to follow me on a short trip to Austria. Keep in mind, that all data you will see here is not only visible to me, but also to my provider and could be visible to law enforcement or intelligence services, should they choose to track me. However, this data is nothing that can be easily obtained by random individuals.

The starting and end point of my journey was the train station in Steinebach. If you dial *3001#12345#* on your iPhone, it will open a developer menu packed with cellular data, including the actual cell you are connected to and the signal strength for this connection (among other things). Unfortunately, I forgot to take a screenshot when I left the train station. I did, however, take a screenshot upon return. In any case, the same cell served my phone both when I left and when I returned. As you can see, my phone was connected to the Mobile Country Code (MCC) 262, which is the country code for Germany, and the Mobile Network Code (MNC) 3, which is the code for the provider O2/Telefonica. That’s the network this burner phone is running on.

1

The most relevant piece of information is the Physical Cell ID (PCI). This is the identifier for the actual cell my phone was registered to. The only problem here is that the developer menu on my iPhone doesn’t give me the ID of the cell tower (or eNodeB/ENB in an LTE network) this cell was actually broadcast from. Whenever I am dealing with cellular data, one of my go-to sites is CellMapper. Here I can browse through information on cell towers on a map or search for specific data. Let’s have a look at what we can find with the MCC, MNC and PCI from my phone. After adding the information I have to the search panel on the right, a new popup opens and displays all the cell towers in the German O2 network that use the PCI 422.

2

Rather than clicking through all these results, I just zoomed into the map manually (since I of course knew where I was) and clicked through the nearby towers until I found the tower that broadcasts the PCI 422. Cell 2 of eNB 100396 is the one my phone was connected to.

3

The train station is in the top right corner of the highlighted cell. Keep in mind, that the full extension or reach of the cell may not be accurately displayed here. So now you have seen how cellular information can be broken down to a rough physical location. I could narrow down this location even more, because my phone also knows which other cell towers are providing a signal in the area and it is constantly measuring the signal strength. So, if I know the location of these other cell towers and I know the signal strength to each tower, I could use that information to triangulate a more precise location. But let’s not go that far this time.

If I am connected to a UMTS or LTE network (3G or 4G), the cellular network will also allocate an IP address to my phone. The accuracy, or rather non-accuracy, was topic of the last blog article. Nonetheless, I would like to share the IP I had when I left the train station at around 09:00 o’clock, to show you what happens with this IP during my travel.

4

Above you can see the IP address and the result from a query on the Geo2IP Precision database from Maxmind. Maxmind is one of the leading IP geolocating companies worldwide. According to them, this IP address was located near Munich in a radius of 50km. Nothing wrong here, the train station in Steinebach is within that radius.

I decided to drive to Neuschwanstein (the inspiration for the Disney castle) near Füssen and from there quickly cross the boarder to Austria. During this drive, my phone would constantly reconnect to new cell towers and new cells whenever the signal in the current one was too weak. More on this topic can be read here:

Every once and while I completely lost signal. Now the interesting thing is that my phone kept the allocated IP address throughout the complete trip. Steinebach and Füssen are roughly 70km apart (beeline), I had multiple cell and cell tower handovers and thus my IP in Füssen was the same as when I left the train station in Steinebach. As the IP hadn’t changed, the Maxmind geolocation also hadn’t changed and was now clearly wrong. You could wonder why I wasn’t issued a new IP when my phone lost signal or connected to new cells or cells towers. For the cellular network there was no need to reissue a new IP address, because I technically never detached from the network. And why should the network go through the hassle of constantly issuing a new IP, when reconnects to cells and cell towers might occur every couple minutes? Getting a new IP in such a frequency clearly would cause some troubles for the user, if connected to a website or service continuously throughout the travels.

A new IP will be issued whenever you turn your phone off or put in in airplane mode and then turn it back on. Switching it off or using airplane mode sends a so-called “IMSI-detach” to the network, letting the network know you want to log off and thus won’t be needing service anymore. Temporary loss of signal won’t cause that command to be sent. If your phone is offline for a longer period of time, the network will automatically detach the IMSI (which is basically your main identifier in a cellular network) from the network. However, each provider might define a different time span before detaching.

At 12:10 o’clock, I was sitting at the McDonalds in Füssen and still had the same IP. Just to be sure, I checked it using a different browser, I didn’t want to risk cached data messing up my results.

5

Out of interest, I switched on the airplane mode and connected to the wifi hotspot while eating my McFlurry. Again, I checked this IP and looked it up on Maxmind.

6

The IP issued to me by my cell phone provider still had me located in Munich and the wifi hotspot came out over 400km away (in the middle of a lake in the center of Kassel). And once I reconnected to the cellular network, I received a new IP address, which according to Maxmind was still in a 50km radius of Munich.

7

So much for the accuracy of IP geolocations. The cellular data (MCC/MNC/PCI) put in me the correct location again.

8

I finished my ice cream and briefly crossed the border to Austria. Just enough to connect to an Austrian network. While the cell data put me in the right spot on CellMapper, the IP I then received from my provider placed me even further away than before. This time instead of Munich, the IP was supposedly in a 50km radius of Nuremberg.

9

The IP range was also different than any other IP address that O2 had given me in Germany, so I assume that O2 has an extra IP range reserved for roaming connections. I switched to a different Austrian provider and checked again.

10

Okay, now I’m confused. I went from Munich to Nuremberg to Stuttgart. On the other hand, the information I found here could prove to be relevant. If my provider uses a different IP range for phones located outside of the home network (in a foreign country) than the IP range using for phones ‘at home’, maybe other providers do so as well. This might enable finding out if a mobile phone is located in country or outside, similar to what a HLR lookup can provide (not gonna explain this time, just google it). Remember that the results shown here might differ in other countries and with other providers. But once more, the bottom line is that geolocation based on IPs is not as simple and accurate as some of us might think and geolocations based on cellular data could get you quite close to your actual target. That is, if you have access to this kind of data, which I assume most of my readers don’t.

And now you also know how I spend my Sundays. Combining road trips through the beautiful Bavarian alps with my passion for OSINT. In any case, the trip was totally worth it: new insight on cellular roaming and of course this amazing view:

Neuschwanstein

Matthias Wilson / 12.07.2020

 

Geolocating Mobile Phones based on IPs

This article was written together with Nixintel and was published on Nixintel.info as well.

IP addresses feature prominently in digital investigations, but how useful are they for geolocation? The truth is that while IP addresses have many investigative uses, they can be quite unreliable as a precise geolocation method.

The limitations of IP addresses as geolocation tools are grounded in the technology itself. The current IPv4 protocol allows for the existence of just under 4.3 billion separate IP addresses. This was not an issue when the technology was designed in the early 1980s, but now the demand for IP addresses far exceeds supply.

To deal with this shortage, ISPs have developed several workarounds over the years. A reverse proxy server allows thousands of websites to share the same static IP address, for example.

Websites and services generally use IPs that are fixed, but if you’re reading this from your home internet connection then the chances are that you’ve been issued a dynamic IP address by your ISP. You might have the same IP address for a few hours or days, but ISPs constantly juggle and reallocate their IP addresses according to demand. The IP address you have today might be issued to someone else elsewhere in the country tomorrow.

With mobile IPs the IP shortage problem is even more pronounced. Whenever you connect to a 3G or 4G network, you are probably sharing that IP address with thousands of other users at the same time. Your IP address also changes very frequently on a cellular network, sometimes as often as every few seconds.

There is no real correlation between a physical location and a cellular IP address. IP addresses aren’t organised geographically in the way that old landline numbers used to be. It’s more accurate to think of them as being grouped by ISP and service type.

For more detailed information on this subject matter I recommend reading these research papers:

So what about IP geolocation services like Maxmind A little digging into their own data accuracy reports will tell you that we need to be extremely cautious about how much weight you attach to the geolocation information that they provide.

For example in Germany, Maxmind state that 83% of their IP addresses are accurately linked to their location – but only to within a 50km radius, and even then only with fixed broadband lines:

1

When we look at cellular IPs, the accuracy drops significantly. Only 38% accuracy within 50km:

2

The more specific the location, the lower confidence level. In Germany the confidence that a specific IP address is associated to a specific city is just 16%. In the USA this accuracy level is just 12%, with 73% of IPs being incorrectly resolved. So how much weight should you really put on the accuracy of a geolocated cellular IP if even the world’s leading IP geolocation companies have such low confidence of it being accurate to within 50km, let alone a single city?

This is not a fault of the GeoIP service providers. It simply reflects the fact that ISPs have no need to allocate IP addresses by geographic area, but instead allocate them according to network demand.

Yet it is common knowledge that mobile phones can be geolocated. A mobile phone connects to a cell tower, and as a matter of fact to all of the surrounding cell towers as well (at least to monitor the signal strength). Each cell tower has a unique ID. This ID can be picked up by several means, whether it is intercepting the radio connection between the mobile phone and the tower or by collecting information on one of the backlinks to the network. If the physical locations of the cell towers are known, a rough geolocation of the phone can be performed if of course you have the cell IDs. However, this can only be done (legally) by law enforcement and/or intelligence services. But is it possible to geolocate a phone based on other information than the cell ID?

Most mobile phones nowadays are constantly connected to the internet. We browse the web, we send messages through services such as Signal or WhatsApp and we check our emails and reply with our smartphones. Each of these connections will transmit an IP-address that has been allocated to our phone. On my normal computer, I could look up my IP address on sites such as IPLocation and it would show the approximate area I am located in. Of course, this only works if I am not using a proxy or VPN. Different databases might have slightly different locations, but as you can see in this example, I am located somewhere in the vicinity of Munich based on my IP address.

3

Just to put these locations into perspective, I plotted them on the map. I was located somewhere on this map while writing this article. Not really that precise, right?

4

That’s the landline I used, what about geolocating a phone based on the IP address? Getting the current IP address of the phone is not as easy as it sounds. Even if I were to receive an email sent from my target’s phone, chances are high that this would not include the originating IP address. Especially if sent from providers such as Gmail or Hotmail. How can we then obtain the actual IP of the phone?

Before you continue reading, a word of caution: The next step could be illegal in some countries and is very intrusive. It is definitely not something I would recommend as you have to actively engage your target. In this case I am just using the technique to prove my point.

I sent my target an email with a tracking pixel. Don’t worry, the target is one of my burner phones. I sent myself an email and opened it with my phone while connected to my provider on 4G (LTE). Tracking pixels, also known as web beacons, are used to figure out if a user has accessed content such as a webpage or an email. These trackers will provide information such as the access time and also the IP address from which the content was accessed. I used the site GetNotify to get a tracking pixel. Then opened the email with my phone. Here is the result:

5

As you can see, the tracking pixel sends back the time the email was opened, the user agent string for the browser on my phone and an IP. It states that this IP address is registered to Telefonica Germany, the provider this burner phone is running on. Let’s check the IPLocation site again:

6

Okay, we have Munich in there, but we also see other locations. Once more, I plotted them on the map.

7

I’m on here somewhere, but as you can see, two of the locations are quite a bit away from Munich. So apparently, the IP allocated to my phone by my provider seems to provide a very inaccurate location. One reason for this can be found in the 4G network infrastructure.

8

The IP address the mobile phone receives is a dynamic address allocated by the so-called Packet Data Network Gateway (P-GW). This is basically the exit node to the internet and the IP address is chosen randomly, coming for a pool of addresses. Each time you reconnect with the network you will receive a new random address from this pool, even if you connect to the same cell (for LTE eNodeB) again. There is no direct link between the IP and any other element of the network, such as the cell tower (eNodeB). Often, outgoing traffic from the P-GW will assign multiple registered mobile phones the same IP-address. While connections from a mobile phone will likely be handled by a regional P-GW, in my case the one physically located in Munich, it could also be registered to a P-GW hundreds of kilometers away. I spent an hour trying to find a friend that uses Telefonica/O2 as well and asked them to help me out here. I sent her an email with a tracking pixel. Here’s what came back:

9

This IP-address is supposedly located in Munich as well, my friend lives near Passau. That’s 170km apart! Keep in mind, all of this was done without any proxies or VPNs. Using a VPN will of course alter the results. Here’s my burner phone on LTE running through a Belgian IP:

10

In conclusion, geolocating a phone through an IP might give you the general area (if you are lucky), but just as with any regular IP address, it will not provide you pinpoint accuracy. I think geolocating landline IPs is actually more accurate than mobile phone IPs in most cases. Just keep this in mind for your future investigations.

Nixintel & Matthias Wilson / 05.07.2020

Saving Images from Google Maps and Street View

Ever wonder how to properly save a Google photo sphere image? Have you just been taking screenshots of them so far? Well, I have another solution for you.

During my investigations I often end up browsing through Google Maps and Google Street View. Besides the official imagery, Google allows users to upload their own 360° panoramic pictures, so-called photo spheres. These are georeferenced (most of the time) and can be found in the same way you access Street View. A while back I learned you didn’t have to pull the yellow dude onto the map and that you could just click on him. For more information on what you can do with Google Maps and where I actually learned the trick with the little yellow dude, just check out OSINT Techniques‘ great 10 Minute Tip on Youtube.

Now, lets assume we are looking into an area that doesn’t have proper Street View coverage. In this case I want to see if there any photo spheres in a small Syrian town just south of Idlib. I’m lucky and I can find three of them marked on the map.

1

By clicking on the sphere itself, it will open this individual image. Let’s click on the one furthest to the west (on the left).

2

Now I can change my point of view by pivoting the image and I can also see which user uploaded this image and when it was uploaded. So far, if I wanted to save a copy of this image I would take a screenshot (or rather multiple screenshots). However, there is way to gain access to the complete image and as a matter of fact to any image that is uploaded to Google Maps, including a larger version of the profile picture seen here.

For this, we need to open the developer tools in our browser. While it could also be done in Chrome or Chromium-based browsers, I prefer using the developer tools in Firefox. Just press Ctrl+Shift+C to access the developer console or you can access it from the Firefox menu (Web Developer/Inspector). It will then look like this:

3

I have the console located in the bottom half of the screen, the default value usually opens it on the right side of the screen. I’m not going to go into details on all the functionalities of this console, for more information check out Webbreacher‘s 10 Minute Tip on Youtube. I want to direct your attention to the network panel. Clicking on the network panel will show you all the queries performed when you access the page you are viewing. As you can see, Google loads several JPG files for the image displayed above.

4

Rather than viewing all the traffic, we could also drill down to just images. But again, watch Webbreacher’s video for more details on what can be done with web developer tools. I said Google was loading several JPGs; actually Google is just loading one JPG but defines what we see by subdividing the JPG into different sections. Each section is defined by basic coordinates, depending on where in the overall image this pic is located. By hovering the mouse over the entries, you can see which section it relates to.

5

Here we can see a 512×512 pixel excerpt of a larger image. The coordinates show where the section is located horizontally in the image (x-axis) vertically (y-axis) and how far we have zoomed in (z-axis/value). As you can see, hovering over the entry will also display the link to the image. By clicking on this network event, we can see further details in a new panel on the right and from here copy the image URL (I compressed the traffic view in the following screenshot).

6

The URL can then be opened in a new tab. But before I show you the results, let me alter the URL a bit. Instead of opening the image with the coordinate-extension (e.g. =x1-y0-z”), I’ll open the image with an extension that alters the size. In this case I will use “=s8000”, with the number 8000 being the number of horizontal pixels (Google will auto-adjust the vertical pixel-number accordingly). Fairly high quality photo spheres may even allow larger resolutions.

7

Now just right-click and download the image just as you would download any other picture. Here’s what I’ve downloaded, a 8000×4000 pixel complete photo sphere. This size will easily enable me to zoom in and have a look at further details.

8

Seeing that we can download images from Google maps this way, let’s try out what else could be downloaded in higher resolutions. Remember the icon of the Google user that uploaded this picture? It is possible to download this icon in a larger resolution as well, and in fact any other picture that this person uploaded. For that, let’s just look the user’s “Local Guide” profile by clicking on his username.

9

On the “Local Guide” profile you can finds reviews and further images. To access them and the profile pic, just click on an image and open it. Again we will access the developer tools and have a look at the network traffic. Hovering over the entries will give us a preview and we can quickly identify the profile pic.

10

Copy the URL and manipulate the extension that defines the size or erase this extension completely. Then it usually displays the image at a standard 512×512 resolution or the original resolution (if smaller than 512×512). This is especially useful for profile pictures of people, as the enhanced image might allow you to do a proper reverse image search.

11

The shown techniques will enable you to download any picture from Google Maps, whether it is a photo sphere or an image posted by a “Local Guide”.  If this is too much too read for you, I will be creating a 10 Minute Tip on this topic for OSINT Curious. You’ll find that on Youtube soon. Oh wait, I should’ve stated that to begin with…

Matthias Wilson / 01.07.2020

 

 

 

 

 

 

 

 

 

Using the WIPO IP Portal for OSINT

Conducting due diligence, business intelligence, competitive intelligence or just trying to identify a company logo through reverse image searching? The WIPO IP Portal might be able to help you out with those tasks.

One of my favorite sites when it comes to researching companies is the WIPO IP Portal. WIPO stands for World Intellectual Patent Organization and is an UN agency specialized on protecting intellectual property (IP) worldwide. Their Patentscope database allows you to search for patents, and they also incorporate (trade-)mark and design databases in this portal. Sometimes looking through this data will provide additional information on company affiliations or indications on upcoming products.

Let me give you a brief theoretical example. Your client has asked you to perform a pre-employment screening on the potential new head of research and development. Her CV does not show anything unusual, no past links to current competitors are noted here and the interview went quite well. When asked about any links to the competition, she denied having any. Using the WIPO database, an old patent is found in which she is mentioned as co-inventor together with a man that went on and founded a rival company in which he is still acting CEO. Whether or not any ties between the two still exist, is definitely something that should be discussed. This is just one example of how the WIPO portal can be used. Other areas are due diligence checks, business intelligence or competitive intelligence and even reverse image searching company logos.

Searching within the patent database Patentscope is quite simple. Once on the main page patentscope.wipo.int, you can query your search term worldwide. This could be the name of an individual, a company name or a specific product or keyword. The search allows Boolean operators such as “AND”, “OR” and quotation marks, just like you would use them in Google. Furthermore, the drop-down menu on the left allows you to choose the field in which your query is to be performed.

1

I decided to see which patents contain “OSINT”. As a result, OSINT is found in 77 entries. The list of results can sorted in various ways and foreign language content can be translated automatically (I’ll show that later).

2

Browsing through the results, I found a patent that looked quite interesting. A company named VERINT Systems Ltd. filed a patent to use social network analysis for target profiling. Maybe I can learn something from this patent. Clicking on the patent number will lead to the details of this filing.

3

4

We can see that this patent was applied for in Israel on 31.10.2011 (Application Date). By clicking on the tabs below the headline, you can access the description of the patent, the claims (what can this do?), any drawings that were filed with it and in some cases the original documents can be downloaded. VERINT Systems Ltd. is an American company founded by a former Israeli intelligence officer. Most of VERINT’s staff is working in Israel. That’s likely why this patent was registered in Israel. Had I not known that VERINT had Israeli roots, this patent could have been a starting point for further research into why the company registered it in Israel first. Another reason, next to the fact that most of their personnel is stationed there, could be that Israel is a primary target market.

Next up, I looked up “VERINT Systems Ltd” to see all the patents the company had registered. Among these was also the one previously mentioned, which had now been filed in the US as well. Such patents will include additional data regarding the preceding or original patent they are based on. The data field “Priority Data” on the bottom left is hyperlinked to the Israeli patent shown above. Furthermore, this patent also includes the name of the inventor, which we could also query.

5

As I mentioned before, the database will translate content in foreign languages automatically and allows you to choose which translation service you would like to use. This VERINT patent was filed in South Korea. By clicking on “Machine Translation” on top right, we can have this content translated. I picked Google translate in this case.

6

7

As you can see, using Patentscope could help you find out more about a company’s past and future activities, help you find people linked to the company and provide leads regarding their main area of operations. This database is basically a meta search engine, so always make sure to check to national patent registries too, as these might have current data that hasn’t been ingested into Patentscope yet. Researching patents is not all that can be done on this site. As mentioned in the first paragraph, (trade-)marks and designs can also be queried. For this, you have to click on the menu button in the top left corner and then navigate to “MARKS” or “DESIGNS”. Under “MARKS” use the “Global Brand Database”, under “DESIGNS” go to “Global Designs Database”.

2020-05-03 09_49_46-WIPO - Search International and National Patent Collections - Brave

The search for trademarks is quite easy. In the left tab (SEARCH BY), you can add filters to your query. I decided to search for an organization named UNITER that is (was) located in Germany. Underneath the SEARCH BY box, you’ll see the current query you have built. This system allows you to build very complex queries.

8

However, my favorite part is the integrated reverse image search. This can be found in the right tab (FILTER BY) under images.

9

You can upload an image here and adjust your search using “Pick a strategy” and “Pick an image type”. Hovering your mouse over the options will give you a brief description of what they do. I’ve uploaded an image and picked the “concept” strategy, as well as “nonverbal” image type (which means there is no text in my image).

10

I downloaded this image from the UNITER Facebook page. The first result is a perfect match. The image was registered by an organization in Switzerland. Those of you who know more about UNITER will understand why.

11

To sum it up, the WIPO database offers a lot of useful features for OSINTers, providing leads on individuals, companies, technologies and even a very powerful reverse image search for logos. I’m gonna go back to all the patents regarding OSINT, WEBINT and intelligence in general and start combing through them. Another case of OSINT on OSINT…

Matthias Wilson / 03.05.2020

Be careful what you OSINT with

There are lots of neat OSINT platforms out there to make your life easier. But how many of you vet the software before using it? Not every platform should be entrusted with sensitive data as this case reveals.

1

In January 2019 I was tagged on Twitter, asking for my input on an OSINT platform named Lampyre. Before I use any type of software, I try to vet it as good as possible. This includes OSINT research on the company, asking tech-savy people I know for their opinion and ultimately reaching out to the company itself. No one had really heard of the software at that time, no one was using it, and I couldn’t really find much background information online. I ended up contacting Lampyre and asking them where they came from, what their background was and a couple of other questions. Unfortunately, they only sent evasive answers. They wouldn’t even tell me which country they were based in. I tried the software on one of my VMs and tested it with fake or non-relevant data. To be honest, I did like what I saw, but I decided not to use it operationally. As time passed, I noticed that many OSINTers started using the software and decided to have another look into the company and people behind it. It turns out, I was right not to use this platform. Lampyre isn’t who they claim they are. I teamed up with several helpful elves (to be honest, they did most of the work) and we found some pretty disturbing information.

Lampyre is apparently made by a company in Budapest (Hungary) called Data Tower. The company itself was registered in February 2019 and the CEO and sole shareholder is Laszlo Schmidt. The original address used to register the company leads to a law firm and the phone number that Data Tower provides belongs to another law firm in which Laszslo Schmidt is working as a lawyer. This information points to the fact that Data Tower is merely a shell company. So, how do you we get to the people behind Lampyre?

Looking into their online presence doesn’t lead to any notable individuals either. Some of the names used, such as John Galt, are most likely pseudonyms or fake accounts. Since searching for people didn’t provide any leads, we decided to look into the traffic that Lampyre sends to its back end in each query. The queries contain a brief description on what is requested and apparently the local language used by the developers is Russian, as each description is written not only in English but also in Russian.

2

Why should a company based in Hungary use Russian as their local language setting? Of course, the developers could be Russians working in Budapest, but again something just doesn’t seem right here: an organization that shows signs of being a shell company, the lack of transparency when directly confronted and now indications that point towards Russia. Decompiling the software showed further Russian language embedded in the code:

3

While this was being done, more OSINT research revealed a person named Andrey Skhomenko. This guy posted Python modules for Lampyre on Github and knew about the product in March 2018, way before it was released to public in October 2018. Andrey is based in Moscow and used to have a LinkedIn profile as well (which has been deleted in the meantime).

4

According to his LinkedIn, Andrey worked for the Russian Federal Security Service (also known as FSB) in the past and is now working for a company called Norsi-Trans. Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government. It turns out that Norsi Trans also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

5

The overall look of this platform reminded me of something I had seen before. Oh, that’s right! Both Lampyre and Vitok-OSINT have that Win95/Win98 appearance, not only in the network visualization, but also the software itself.

6

So far, this was just a gut feeling. Could anymore evidence be found that would link these two products and thus Norsi Trans and Data Tower? You bet? We pulled the certificates used by Lampyre and saw that they were registered in Russia and even more compelling: one of the certificates made a direct reference to Vitok.

7

This was the final nail in the coffin. Lampyre and Norsi Trans are in fact connected! While there is still plenty to be discovered, I think we have proof that Lampyre and Data Tower are not fully honest. And as everything you query in Lampyre is probably sent to Russian servers, I am happy I decided not to use this tool in my private and professional investigations. After all, Russia mandates decryption for domestic services.

Maybe Lampyre is Norsi Trans’ attempt to sell their software in the western world, maybe it is a rogue operation by a Norsi Trans employee (or a few). Although, I personally have doubts about that second theory. The software is quite powerful and receives regular updates. To create something like this, you’d surely need more than one person and having a rogue team within a company try to pull this off would surely not go unnoticed. What I find most interesting, is the fact that Andrey stated he had worked for the FSB. To put it in the words of one of my former colleagues: You don’t leave Russian intelligence services, you just change your cover and continue working for them.

Matthias Wilson / 23.03.2020

Using the Microsoft Video Indexer for OSINT

Working on a case in which you have to go through loads of videos? Wouldn’t it be awesome to just download the videos and have them automatically transcribed and indexed?

Imagine you are following a current event that is topic of multiple videos throughout the internet. In some cases, you might not have the time to watch each and every video yourself. Wouldn’t it be great to download all these videos into one database and have them indexed by spoken content, topics and even people that appear in the videos? And wouldn’t it be even better to be able to search for specific content in those indexed videos?

These features, and many more, are part of the tool-set that the Microsoft Video Indexer offers. Microsoft allows a trial account on this platform and it enables you to login with various different account types, among them also Gmail. Let me point out some aspects of this platform, that might be useful during OSINT investigations.

Let’s go back to August 2019. The G7 summit is taking place in France and we’re interested collecting information on this topic. This summit is all over social media and there is also quite some press reporting on it. We download videos from sources like Youtube. For this we can use Y2Mate. Either by copying the Youtube link to their website or by adding ‘pp’ to the original Youtube-URL as shown below. This will automatically redirect you to the site.

1

Remember, that we’re not just limited to Youtube videos. We can upload Youtube videos and any other video to the Video Indexer. It’s pretty self-explanatory, the only thing to be aware of is the video language. The default value is English. If working with videos in another language, I would advise manually adjusting the input language. I have come across issues when uploading longer videos. In case you come across problems here, trying splitting the videos.

2

Once the video is uploaded, it will be indexed by the platform and this is where the magic happens. Here are some of the features that are included in this process:

  • Facial recognition
  • Full transcript of the audio, including translations
  • Topic detection
  • Item/setting detection
  • Sentiment detection

Let’s have a look at one of the videos I uploaded:

3

The panel on the right has two tabs: insights and timeline. Under insights you will find an overview of individuals that were identified in the video and also recognized by the underlining facial recognition software. As you can see, a guy named Stefan de Vries was recognized and the bar below shows the sections in which he appears in the video (highlighted in black). It also links to Bing search results of this person. If a person is not recognized and indexed automatically, you can manually edit this.

4

Unknown #12 is in fact Angela Merkel. By clicking on the edit button on the top right, we can change the name. By giving the people the same name, they will be automatically merged. The following two insight categories index general topics discussed in the video and also label the scenes by what can be seen. Marking a topic or label will show the section in which this appears in the video. Clicking on that highlighted section will jump forward to that specific part in the video, which is always displayed on the left. Keep in mind, that these results are not always plausible. In my video, a scene showing Donald Trump starting to speak was labeled as toiletry (although some people consider him to be a douche).

5

Next up, named entities are extracted and the sentiment is evaluated. I assume the sentiment evaluation is based on the words used. Words such as good, great and awesome will likely lead to a positive sentiment rating. Remember that these words are not always used in the proper context by the speaker, so I usually ignore this feature.

6

Most of the data shown in the insight tab is based off the speaker transcription, which is displayed in the timeline tab. Although it works pretty well, you might need to manually edit some of the data. In this final sentence shown here, I manually edited something.: instead of “my Chrome”, the speaker said “Macron”.

7

Looking into a video in a foreign language? In this case you can use the translate function to make it (kind of) readable. Just click on the world icon and choose the output language and the complete text will be translated.

8

So, we’ve uploaded a few videos, manually edited a few things and now have a fully indexed database of videos to run queries on. Going back to the main page of your profile, you will be able to search for anything that has been indexed: text, keywords, people and labels.

9

Searching for “Trump” will display the search results and categorize them by result types, as they are listed above the search results. This is just an excerpt of all the results, but you can see that a person, spoken text, a named entity and even written text were found. Written text? That’s one point I almost forgot. The Video Indexer also OCRs written text in videos.

10

That was just a brief overview of the possibilities of Microsoft’s Video Indexer. I think it can be useful for some OSINT investigations and if you really think about using this more intensely, you might want to consider upgrading to a paid account.

I was actually thinking about uploading talks from conferences, so I could create a database in which I could query specific OSINT topics without having to watch the complete videos. A TL;DR for videos 😊

Matthias Wilson / 08.03.2020

How to Troll a Nigerian Prince

Have you ever received an email from a Nigerian prince? Why not answer for a change and see how things unfold.

Inside an Advance Payment Scam

Boy, I am lucky. Steven Richards, a regional director for the UBS bank just informed me that I am entitled to over 16 million pounds. Steven sent me the information in German from a Hotmail account, as he explained that he was doing this without the knowledge of his employer. It turns out that I am the last of kin of a UBS customer who recently died with his entire family. At first, I was devasted. Losing relatives is always hard and I didn’t even know them. After a brief phase of grief, I decided to claim my inheritance and answer to Steven. Of course, we all know that none of what is stated before is true. It is part of an advance payment scam. I decided to play along and see how far I can get in this scam.

I knew at some point I would have to present identification, so I googled pictures of German IDs until I found a picture that might do the job. Around this ID, I created a fake persona: Thomas, a 65 year old retiree that speaks very bad English. I created a new Protonmail account bearing his name and replied to Steven in German. Not even an hour later did I receive the answer, even though he obviously never sent an email to this account. This time the email was in English. As my alter ego Thomas didn’t understand much of what was written, he decided to call Steven (Steven provided a phone number in the initial email). The phone number was a virtual phone number registered in the UK. This was start of many interesting conversations between my fake persona and the scammer known as Steven. For starters, Steven didn’t sound British at all. He had a thick central of western African accent. I gave Thomas a thick German accent and Steven took the bait. Steven explained that I would need to send a letter to UBS making my claim to the 16 million pounds. While we were still on the phone, Steven sent me a pre-drafted letter that I only needed to sign and send to the an UBS email-address he provided as well. I found a signature from the person I modeled my fake persona after on Google, “signed” the letter and sent it. Needless to say, the email address wasn’t really one belonging to UBS.

1

Afterwards, I called Steven again just to make sure I was doing things right. He told me that I should forward him all emails coming from the bank, so he could process them and give me further instructions. Immediately after our conversation, I received a reply from UBS. Almost, as if Steven had sent it himself 😉

2.png

I forwarded this document to Steven and he said he would take care of the first three things on the list, while I was to provide him with my banking details and a copy of my ID. I was also asked to pay about 60,000 pounds to Steven and his lawyer, so they could prepare the death certificate, will and affidavit that I obviously didn’t have. I sent him bank account details for an account that is used in another scam (fake invoices) and a copy of the ID I had based my fake persona on.

3.pngBy the way: Google could have warned Steven that something wasn’t right with Thomas…

In the next phone call, I told Steven that the money I had wasn’t on my account since it was dirty money. I had obtained it through tax fraud. Clearly, Steven wasn’t amused about this and we had several phone calls and emails regarding the topic.

4

Eventually, he accepted this money and I told him I could go to the bank and try to transfer the money. For this, he requested a payment receipt as proof that I had sent the money. Steven called multiple times to make sure I was going to the bank. As with the ID card I googled and all the other fake documents I sent Steven, I quickly made a fake payment receipt without putting too much effort into it. To be honest, I was surprised that Steven was still taking me serious after all the obviously fake information I sent him. He didn’t seem to be the smartest person.

5.png

Upon sending the fake payment receipt, I called and told him that I could only transfer 10,000 Euros a day and that I would have to go back the next to transfer another batch. Steven seemed very satisfied and called back the following day, asking if I had already made it to the bank again. Again, he showed no signs of suspicion and was eager to receive the money.

Payback Time

So far, I played along and made the scammer think he was receiving money. During this, I unraveled additional email addresses, the bank account he used and received copies of the documents he created for this scam. Steven was happy as can be, assuming lots of money would soon end up on his bank account. It was time to give Steven a little something to think about.

While my alter ego, Thomas, was supposedly on the way to the bank to transfer the next batch of money, I used Emkei’s Fake Mailer to send Steven a fake email from Interpol.

6

One hour later, I called Steven again. This time posing as a special agent working for Interpol. I told him that Thomas was arrested upon trying to transfer money to a bank account that was linked to African terror groups such as Boko Harram. I could clearly hear the fear in his voice and he demanded to speak to Thomas.

In the next phone call, I switched between fake personas (special agent John and Thomas) and made Steven believe that Thomas had been arrested while visiting the bank a second time. To make things more believable, I used various different background sounds (thanks to Youtube) during all these conversations. Thomas was also crying on the phone when speaking to Steven. All of this really freaked Steven out and he denied having anything to do with this. Eventually he stopped answering phone calls, but he did still answer to emails sent to him. I was having so much fun, I pushed it a little bit to far. However, I finally got to use a phrase I’ve been waiting to use for a long time.

7

Aftermath

After a while, Steven wouldn’t reply to emails any more. Two days later, I wanted to log on to the Protonmail account I used in the case to go through the mails again before writing this blog article. It turns out my account had been suspended for apperently being part of an advance-fee scam. According to the Protonmail team, someone reported my account and provided them with messages as evidence (since Protonmail can’t see the content of emails).

8

To be honest, I find this hard to believe. The person that was so stupid and was fooled with cheap photoshopped images, an outrageous story and multiple fake personas (that all sounded alike), then reported my account to Protonmail and provided evidence? To me, it looks like something else triggered this…are we really sure Protonmail can’t read the content?

In any case, I sure did have fun trolling a scammer and while doing so, I did many others a great favor. Spending time interacting with me left less time for Steven to interact with people that might have actually fallen for this scam. And, it sure is a nice story to tell!

Matthias Wilson / 26.01.2020

My First Professional Social Engineering Job

Can you remember the first time you manipulated someone to give you information? The first time I used social engineering professionally to obtain information resulted in loads of pics of cool fighter aircraft.

This week my digital photo album made me aware of some pictures from a deployment in Afghanistan exactly 15 years ago and reminded me of one adventure I had while trying to obtain information on a specific air traffic control radar.

Why is this adventure still relevant to me so many years later? Well, back then I was in a Signals Intelligence (SIGINT) unit, but this task required some Human Intelligence (HUMINT) skills. Or, speaking in civilian terms: Social Engineering. It was actually the first time I had directly gathered information from a conversation with my intelligence target, rather than relying on communications being intercepted. While I had quite the experience stepping into other characters in my free time (these are stories more suitable for a night out), I had never before tried this in my professional career.

A lot has been said and written about successfully manipulating people to make them give you information or allow access to restricted areas. For me, the most important aspect is the ability to read other people’s emotions and sentiment towards oneself and to anticipate their reactions. I think it is much like a game of chess and whoever plans several steps ahead, will be in control. To achieve this, I have learned that it is important to have your counterpart feel comfortable and give him or her the feeling that they are in control of the situation at all times. Last but not least, you should always have a good cover story, or pretext. Instead of going on about the methodology of social engineering in theory, I would just like to share my adventure with you.

In January 2015, I was stationed in Kabul (Afghanistan) with an electronic warfare detachment. Our parent unit back in Germany was in charge of monitoring radar systems worldwide, as part of their Electronic Intelligence (ELINT) mission. They had a large database in which they gathered information on all types of radars. Not only those used by potential adversaries, but also from allied nations. One day our detachment was asked to travel to a nearby US airbase, because a new air traffic control radar was apparently installed there. If possible, we were to take a picture of this new system, which would then be uploaded to the database. This should be a simple task. Fluent in English, I was asked to join this “mission”. After driving for about an hour, we arrived at the airbase and soon noticed that there was no way to get a clean shot of the radar system. Of course, it was located on the flight line. I knew we couldn’t just ask to see that radar system, as itwould seem a little bit too suspicious, and I also knew that “sightseeing” tours of the aircraft were fairly common. There actually is a German word to describe this: Gefechtsfeldtourismus.

One of the guys with us was an old German air force sergeant major and I came up with a pretext that might enable access to the flight line. We walked up to the nearest security office at one of the gates and I stepped into character. I introduced ourselves as a German patrol, which just happened to visit this air base in order to go to the PX and that my sergeant major was command sergeant major of a German fighter squadron back home. Obviously, I couldn’t state we were part of an electronic warfare detachment. And as it was the sergeant major’s final deployment before retirement, we kindly requested to get him one last look some of some the aircraft. A plausible (and made up) pretext, a direct and firm request and most important: leading this conversation with a friendly and calm demeanor. After all, a smile can open doors.

Soon afterwards, a young A-10 pilot showed up and gave us a full flight line tour. We had achieved step one and gained access to the flight line. We spent the next half hour of so walking around, taking pictures and acting like tourists. Now step two: get some pictures of the radar and possibly some additional information on it. In order to achieve this goal, I switched characters. While I was very serious, yet calm and friendly, to get inside, I was now the kid in the candy store.

What’s that? Can I look at that? Gosh, that’s cool.

I wanted it to appear as if I had no idea what everything around me was, so that when I asked questions it would seem like I was asking more out of personal interest than having a professional agenda.

Is that the control tower? I bet you have a great view from up there!

This got us into the control tower. It was manned by two civilian contractors who never really received any visitors. After all, most people would go have a look at the aircraft. Again, I was the kid in the candy store, asking many questions. The guys felt flattered that someone was interested in their work, they felt like they had the upper hand and ultimately shared a lot of information. I pointed to the radar.

What’s that green thing with the revolving dish?

From there on, I got a full briefing on my actual target. Frequencies, ranges, current issues and some more technical gibberish. Lastly, a couple of close-up pics as well. While many of you may think this was just a fun adventure, it was actually hard work. I had to memorize what I had heard and thus stay concentrated while remaining in character. I couldn’t take notes and I couldn’t record anything. I think this is one of the most challenging aspects of any social engineering attempt. Memorizing new information, while trying keep your pretext in mind.

After one and half hours the tour was finished. Personally, I got some awesome pictures of the aircraft, Professionally, I accomplished the mission. The information I had collected and the close-up pictures of the radar system were reported to our parent unit and they were quite surprised.

How did you get all this?

I just asked friendly 😊

BAF2015Gefechtsfeldtourismus

Matthias Wilson / 14.01.2020

The Impact of OSINT on Christmas

Proper intelligence is vital to prepare military and law enforcement operations or to provide information to political and business leadership prior to decision making. However, these are not the only people relying on good intelligence to get the job done. I had the honor of interviewing a very special person on his views of intelligence and how his organization utilizes it for one of the most challenging tasks known to mankind.

Sir, it is such an honor to have you here. Tell us a little about yourself. What exactly is your job and how does it involve intelligence work?

I go by many names, but please just call me Santa. I am in charge of a large organization tasked with bringing joy and fun to children worldwide on Christmas Eve. While I’m pretty sure you all know what I do during the Christmas night, not many people know what happens prior to this.

My organization and I have roughly 24 hours to deliver presents to children who deserve them. In order to accomplish this, a lot of planning is necessary and this planning is based on the information I receive from an intelligence agency within my organization. In Santa’s Secret Service, or S3, we mainly conduct GEOINT along with OSINT to make sure everything runs smooth on that one special night. Oh, and don’t confuse us with the Amazon web service.

Santa, while most of my readers are acquainted with terms such as GEOINT and OSINT, could you please explain what they are and possibly provide a use case from your organization.

Sure. I only have a limited timeframe to make sure I deliver everything to the right address. The route I take has to be carefully planned. The number of children on this world is steadily growing, more deliveries leave less room for mistkes. Even though my sleigh travels at an incredible speed…

How fast and how does that work?

I’m afraid that is classified. In order to properly plan the route, I rely on precise satellite imagery and maps. Imagery and maps from search engine providers are not up to date and commercial satellite imagery is not detailed enough. Keep in mind, my team has to figure out the best way into a chimney. We need a resolution of less than 0.3m to do so. Before Christmas, my sleigh is outfitted with an ultra high resolution imaging system and flies several sorties. While the actual collection of the imagery does not take that long, creating maps and the final route based on this is a bit more time-consuming. The whole process I just described is referred to as geospatial intelligence, or GEOINT.

Wow, that alone is probably a large amount of data collected each year. How do you process such massive amounts of data?

We have our own server infrastructure at S3. Located in vicinity of the North Pole, our energy consumption is lower than usual, because we have a natural cooling system.

 What happens after you have mapped the world?

I forgot to mention one thing. In order to plan the route, we need to know who will receive a delivery. Luckily, I have information on the address of each child from a classified source. But, does this child even deserve anything? We have to figure out who was naughty and nice. A lot of this is done through open source intelligence, or OSINT.

While we could use classic signals intelligence (SIGINT) to tap into communications and try to answer the question who is naughty or nice, we have found that OSINT provides the best “bang for the buck”. S3 has a very large team of OSINTers, who mainly monitor social media activities.

What exactly is your team looking into?

My OSINTers start off looking into profiles of the children, but not only to see how they behave. Depending on the region they live in, the platforms they use will differ. From Ask.fm to Weibo, there are many differnt sources to look at. We have seen TikTok blow up over the past months, but we also still obtain a lot of information from “older” platforms such as Facebook and Pinterest. These platforms also provide leads on the interests of our targeted subjects, which enables my organization to match them with the perfect present. We not only look at the children, but also monitor profiles of their family and friends, since relevant information is hidden here as well. As you can see, this is all a very deep intrusion into personal privacy. Therefore, we have very strict rules on how to handle this data, a massive auditing and compliance system and constant trainings for my team. If you thought GDPR was challenging, you wouldn’t want to know how much effort we put into protecting the privacy of our subjects!

Many children nowadays are active in closed communications, such as messengers, or they have restricted public access to their acounts by changing their privacy settings. How do you cope with this?

There are two different approaches we can take here. The first one is what you would call virtual HUMINT, or VUMINT. We try to place someone within a closed chat group using a false persona. For example, a group of friends has a WhatsApp channel with 20 participants. Using OSINT, we create a sock puppet credible enough to be invited into this group. In cases in which this works, we then can then instantly monitor 20 people. Of course, such actions are subject to much stricter rules and regulations that normal OSINT and are not performed often.

The second approach would be a classic computer network operation, or “hacking” an account. This is very rarely done and the methods and techniques are highly classified.

What about children who don’t have access to modern communications?

In this case, we rely on classic human intelligence, or HUMINT. Throughout the world, we have a network of sources directly providing us information. A lot of this is hearsay, so we try to confirm information with other sources before processing it. This actually also applies to data won through OSINT.

However, I would like to point out that at the end of the day we will never gather everything on everyone. Have you ever wondered why a spoiled and misbehaved child you knew received a nice present anyway? No matter how much effort we put into intelligence collection, there will always be a delta between what information is out there and which information we have obtained. I think that is the nature of intelligence work in general.

Circling back to OSINT, how does S3 ensure that they are up to date on new tools and techniques?

We do OSINT to enable OSINT. Of course, we follow #OSINT on Twitter and we also have someone monitoring osint.team as well as various blogs such as osintcurio.us and your blog.

Wow, I’m honored to have made it on S3’s reading list. I know you are quite busy, so we can wrap it up here. Is there anything else you would like to add?

Merry Christmas, happy OSINTing and I wish you all the best in 2020!

cropped-desktop-2.png

Matthias Wilson / 22.12.2019

Car Spotting and OSINT

Looking for specific car? Next to googling it, you could try a car spotting site to find pictures that might provide further leads for your OSINT investigations.

A while back, @Wondersmith_Rae wrote a great article on maritime OSINT. In this, vessel tracking sites were mentioned, which allow us to identify ships and monitor their movements. Wouldn’t it be neat to have something similar for cars?

While we will never be able to track and identify cars just as good as we can track large ships, this article will provide some useful hints that can help with OSINT on vehicles. But which data is relevant when researching cars and motorcycles? As most vehicles are mass-produced, research based solely on the manufacturer, model and color might be a bit challenging. So, we will need unique identifiers such as the VIN or license plate.

The VIN, or vehicle identification number, is a 17-digit code which is assigned to every vehicle when it’s manufactured. The are several paid databases that will enable looking-up a VIN and retrieving information on the vehicle and possibly its history. If you don’t want to spend money, just try googling the VIN. Since it is so unique, you probably won’t receive a lot of results and thus not many false positives.

1.png

One of my favorite free sites to obtain information on VINs and vehicles in the US is Poctra. This site crawls the web for salvage vehicles and archives all available information and pictures. Let us see what Poctra reveals on the VIN I had googled.

2.png

High-res images, the location of the auction, mileage and sometimes even a license plate. There are plenty of pivot points to conduct more OSINT here.

If we have a license plate, and the car is something a car spotter might take interest in, we might find images of it on various car spotter websites. Next to PlatesMania, my favorite site is Autogespot. Both allow to search by license plate.

Enough theory, time for a practical example. Arsenal London football player Pierre-Emerick Aubameyang was often seen with a Ferrari LaFerrari. Even though he lives in London, this vehicle does not carry a British license plate. A great repository of license plates can be found at World License Plates, in case you have to figure out which country the license plate originates from first. It turns out that Aubameyang’s Ferrari is registered in Germany. His license plate is AIB-Q 1414. Let us see if we can find this car on Autogespot.

By clicking on “More Filters” on the top right of the website, we can define our query.

3

This leads to several results, each containing multiple high-res images. Not all images are publicly accessible if you are not a paying member of Autogespot, but there is a workaround to retrieve the pictures hidden behind the paywall. We’ll get to that in a minute.

4.png

The top left entry shows that Aubameyang’s Ferrari was spotted in London on 21 September 2019 and that this sighting contains 10 pictures. The spotter also links his Instagram account, which might lead to further images. So, make sure you always pivot your investigations to these additional profiles as well.

5.png

6

Sometimes, we can retrieve the other pictures from Autogespot even without paying for a premium account. Just copy the URL of the page you are on and query it in Google.  Then have a look at the image results. Here are the other nine images:

7.png

The information we now obtained is once more useful as a pivot point for further investigations. Maybe we can geolocate the exact location the vehicle was parked at and thus know where Aubamayeng was on 21 September 2019 after lunch. Maybe these pictures could provide evidence that a vehicle was damaged prior to a current insurance claim. There are many reasons why tracking and identifying vehicles may be useful. When researching license plates, keep in mind that a simple search engine query or query within social media might also lead to results. In our case, it leads us to results on Twitter, Instagram and press articles, next to the car spotter sites we have looked at already.

8.png

There are plenty of other platforms worldwide that track vehicles and allow queries by license plate, another one of my personal favorites is Nomerogram (Номерограм) in Russia. This site not only displays luxury cars, but also every-day, ordinary cars. I guess this is related to Russian’s love of dashcams, resulting in a massive amount of video and imagery on all kinds of traffic participants.

9.png

With the techniques and sources shown above, a vehicle can be manually tracked to a certain extent. This tracking, however, will rely on geolocating the image. To practice this, I recommend participating in the @quiztime geolocation challenges on Twitter. In a future blog article, I’ll look at Wigle and see how this platform could help track cars as well.

Until then, have fun looking up exotic cars on the aforementioned sites. That is, unless you prefer going through pictures of banged-up, rusty Ladas on Nomerogram. Hey, I’m not judging!

Matthias Wilson / 07. December 2019