Red Flags on Other People’s Facebook

How an animal testing lab almost hired an animal rights activist. Thankfully, the internet never forgets and this useful circumstance led to a key finding that prevented the hiring.  

Selling pre-employment screenings to clients in Germany is quite challenging. Many companies have concerns regarding data privacy (GDPR), others do not see the value of such background checks, especially in a tight labor market where precious few qualified candidates are available. Nonetheless, the results of hiring the wrong person can be devastating. Corporate espionage, sabotage from inside, reputational damage; these are just some of the dangers that companies might run into. Although pre-employment screenings alone will never fully avert these dangers, they might at least provide indicators on security and integrity risks.

I was tasked with the following pre-employment screening last year and I would like to briefly describe the methodology that led to a key finding.

A pharmaceutical company was in the process of hiring a new laboratory assistant in the department responsible for animal testing. The final candidate agreed to a background check. I received his CV and started my research. For the sake of simplicity, I will refer to the candidate as Stefan.

Stefan did not have any notable social media presence, nor could I find him in press or media archives. Replies that I received from his former employers and his alma mater backed the claims in his CV and were full of positive appraisal. I could have stopped here, but I choose to take a closer look at Stefan’s social surroundings. While Stefan was not on Facebook, he did have an inactive profile on a German social media site called StayFriends. This site enables people to connect to former classmates. Users are categorized and linked to each other via their graduation classes.

1

The picture above is not related to the case and just gives an overview of StayFriends. On the left I have chosen a school, the middle section lists each graduation class (by year) for that particular school, the right panel lists all user profiles for a specific class. Another interesting aspect of StayFriends is that most users post their birthdate and year openly, thus proving another breadcrumb to follow.

Stefan’s graduation class of 2011 had roughly 15 profiles listed, most of them with a profile picture. In some cases, classmates had married and their profiles included the maiden name as well. I was able to find most of the classmates on Facebook and started looking through their profiles using IntelTechniques to “dissect” each Facebook profile. Since Stefan was not on Facebook, I assumed the greatest chance to find him would be in pictures. I concentrated on pictures posted by his classmates from the time around the graduation (plus/minus 2 years). For this, I mainly used the following queries: “Photos By User, “Photos Of – Tagged”, “Photos Interacted” and “Post by Year”. Given enough time, I could have used other queries as well. In my case, these seemed to be the most promising.

2.png

A profile belonging to a female classmate had multiple links to animal rights organizations such as PETA. Going through this profile, I actually found old pictures that included Stefan. Luckily, his appearance was distinct and had not changed much over the years. The pictures showed the then young Stefan and his classmate at a demonstration organized by an animal rights organization. This was exactly the type of red flag that Stefan’s current employer would certainly not be happy with.

We obviously change as we grow older and maybe Stefan changed his views on animal testing. My client discussed the issue with Stefan and it turned out that Stefan was reluctant to renounce his old stance against animal testing. Stefan was not hired and this background check truly proved to be worth its money.

Matthias Wilson / 12.04.2019

Intelligence Collection on the Train

Sometimes I miss my SIGINT days: Listening into my target’s phone calls and getting juicy intelligence out of this. However, you don’t always need SIGINT to eavesdrop on interesting conversations.

The company that I work for offers a broad variety of security products. When it comes to securing valuable data and information, most of our customers rely on technical solutions. However, the best firewalls and security suites will not help, if information is continuously disclosed outside of hardened IT-environments by careless employees. As a former SIGINTer I was always astonished about how much information my intelligence targets would openly share over non-secure lines. Now that I left SIGINT behind, I still have the chance to eavesdrop on conversations every once in a while.

I have a one-hour commute to work each day and the time I am on the train has proven to be a valuable social engineering and OSINT training ground. Two weeks ago, I was sitting on the train when a gentleman sat down next to me and immediately started making phone calls.

1https://unsplash.com/@jcgellidon

The second phone call went to a woman named Kelly Adams. I know this because I could see her name on the screen of his phone. I could hear everything he said and since his volume was cranked up, I could also hear parts of what Kelly had said. Curious as I am, I immediately googled Kelly. Based on what I had heard, I could narrow it down to three individuals. One woman working for a large German defense company and two others in IT firms. The topic of the conversation was a pretty significant retention bonus that Kelly would receive, if she decided to stay with the company and move to Munich. It turns out the company was currently relocating its headquarters to Munich.

As soon as the gentleman ended this conversation, he started writing emails on his phone. Again in plain sight and did I mention that I am very curious? It turned out his name is Andreas Müller. Searching for the combination “Kelly Adams” and “Andreas Müller” led to the exact company. Dr. Andreas Müller was the head of the research and development department of a large German defense company and Kelly was one of the leading project managers for a specific branch. I did not need any sophisticated OSINT skills here, a simple Google query and LinkedIn search was enough. Dr. Müller then sent the details of the retention bonus to someone named Alfred, whom I assume was in HR. If I would have been working for an opposing company, I could have easily used this information to counter the offer Kelly received. But wait, it gets even better!

Next up, Dr. Müller opened spreadsheets depicting the budget of certain projects. Dr. Müller was sitting on my right and I held my phone to my right ear, simulated a conversation and managed to get a couple pictures of his screen. As of now, I had seen enough and it was time to approach him.

“Excuse me, Dr. Müller. May I ask you a question?”

You should have seen the look on his face. Surprised and shocked, as he was clearly not expecting this. I asked him if the conversations and the emails he had looked at were sensitive. I told him what I had picked up from his conversation with Kelly and showed him a picture of the spreadsheet. Still shocked, he did not really know how to react. I explained my line of work and handed him a business card. Dr. Müller can consider himself lucky, usually I charge customers for this kind of consulting and I think he learned a valuable lesson.

Remember: No matter how good your cyber security measures are, the most important aspect is minimizing human error and taking security serious at all times. I have often read that there is no patch for human stupidity. I do not agree and I am sure that Dr. Müller has been “patched” after our train ride.

I guess I never will be able to let the SIGINT side of me go. I just love eavesdropping in on people, so be careful what you say in public or on your phone, you never know if someone is  listening!

Matthias Wilson / 26.03.2019

The Nigerian Prince from South Africa

Great, another Nigerian prince in your inbox. Instead of deleting it, why not answer for a change. I did and it turned out to be quite interesting.

Last week, I received my first Nigerian prince scam mail (also known as 419-scam) in German. I assume someone put a lot of work into this, so I thought I would answer. Although the message was apparently sent from jefaturaestudiositurbi@valencia.es, I was to reply to wong.shiu@accountant.com. This email supposedly belonged to Mr. Wong, the banker who was handling the case.

Let us have a look at the message header first, before answering.

1

Even if I would have answered to jefaturaestudiositurbi@valencia.es, the email would have been sent to wong.shiu@accountant.com. I assume the email was not actually sent from the @valencia.es domain in the first place and that this was just used to bypass my spam filter. Next up, I wanted to see if I could find any leads to where the email was sent from.

2

The initial ‘Received’ entry in the message header points to a South African IP-address belonging to a mobile provider. It also appears to have been sent through a Huawei 3G/4G WiFi router.

Next up, I set up a new Gmail account to communicate with this Nigerian (South African) prince. Sure enough, I received an answer within minutes. The reply contained additional information regarding the deal and was clearly a very bad Google translation of an English text. Again, this message was sent from the same IP-address. We emailed back and forth several times until I was asked to provide some ID, an address and a phone number. So I did.

3.jpg

Apparently, Mr. Wong thought this was funny as well. For the first time I actually received a response that was not just copied and pasted from a pretext.

3-1

“You dey gather my fmt” – This actually translates to: So, you are one of those guys that collect my pretext. At this point, Mr. Wong also started using a different email to communicate with me: wong.shiu@mail.com. Again, I checked each message header. While several different IPs were used, they all belonged to South African mobile providers.

4

The conversation went on for quite a while and I was surprised that Mr. Wong kept answering.

5

The following day I received another scam mail that looked just like to first one. The only difference  was that the name of the banker had changed (and thus the reply email) and the promised sum of money was a lot higher than in the first email. It sure looked like this was also the work of my friend Mr. Wong, so I decided to answer to this new email as well.

6

Unfortunately, Mr. Wong did not answer any more. Looking into all the emails again, I could clearly see a pattern. Each IP-address could be traced to South African mobile providers and all emails were sent through Huawei 3G/4G WiFi routers. The language used also hinted towards Africa in general. Furthermore, over the course of two days I noticed that Mr. Wong began answering around 09:30 (CET), leading to the conclusion that he must have been in the same time zone (or nearby) if this was his 9 to 5 job.

If you ever try this yourself, please make sure to use a clean email address and do not download or open attachments. If you keep this in mind, you might have some fun with a Nigerian prince yourself. As for Mr. Wong:

Mr. Wong,

If you ever read this, feel free to contact me again. I can’t promise I’ll pay the advance fee you requested, but I’m always there for you if you need someone to chat.

Yours sincerely,

Matthias Wilson / 19.03.2019

Building a Hells Angels Database with Hunchly

Today I will teach you about Hells Angels and Hunchly and how one of these two is useful when looking into the other.

In the past year, I have worked two cases in which I stumbled upon links to Hells Angels while investigating individuals. I was surprised how much information people affiliated with this group shared publically on Facebook and other social media sites. Whether they were just supporters or full members, it became quite clear that they did not care about data privacy. Most profiles had open friend lists, some of them displaying thousands of friends. Hells Angels affiliates are not hard to find. You will likely stumble across one of the following acronyms and/or terms on their profiles: AFFA (Angels forever, forever angels), HAMC (Hells Angels Motorcycle Club), Support 81 (8 = H, 1 = A), SYL81 (Support your local Hells Angels), Eightyone.

There are a couple more, but this article is not about the Hells Angels per se. Since these individuals have so much open information on Facebook, their profiles are the perfect playground to try out Michael Bazzel’s Facebook tool on IntelTechniques.

I had just finished working on the first case and subsequently erased all the data linked to that case, when a second case soon revealed links to Hells Angels as well. If only I had saved some data from my first case. I roughly knew where I could start off, but most of this knowledge came off the top of my head and was sketchy. Before I started the second investigation, I made sure I wouldn’t make the same mistake again and decided to use Hunchly to save my findings. That way, if a third case with the same links should ever occur, I will have a great starting point. For those of you who do not know, Hunchly is a web capture tool. It automatically collects and documents every web page you visit. The best part is that it indexes everything, so you can search within the data afterwards. Using this amazing tool allowed me to create a fully searchable Hells Angels database!

First off, I created a new casefile and then let Hunchly collect Facebook friends lists of people affiliated with my target or any Hells Angels in the area my target originated from. As some of the profiles had thousands of friends, I used a little Chrome extension (Simple Auto Scroll) to automatically scroll down friends lists, so they would be captured in whole. Whenever I looked at profiles and found information that could not be automatically indexed, I would take notes in Hunchly or tag (caption) pictures. I have learned that a lot of intelligence can be obtained by closely looking at pictures on social media. In the following example, one Hells Angels member had obscured the tags on his vest. Based on the information in his profile, it became clear that he must belong to the Aarhus chapter in Denmark. I tagged this picture, meaning it would pop up if I ever searched for “Aarhus” in Hunchly.

1

I ended up tagging all pictures that included chapter names, functions, nicknames or general indications on the location. If I am interested in finding the security chiefs and weapons masters, all I have to do now is search for “Sergeant at Arms” or known abbreviations. Looking for “arms” gives me several results in Hunchly.

2

The first two are displayed because I manually tagged these pictures and added a caption. The third result is from a webpage that Hunchly captured, in which the person actually listed “SGT At Arms” as his current occupation. Hunchly also allows you to refine searches. I can narrow these results down and, for example, only search for Sergeants at Arms in a specific chapter. Searching for “arms + sacramento” only reveals one result, which I had captioned with the information I saw in the picture. As you see, the picture is actually mirrored.

3

All collected data is saved offline. Should the online profile ever change, be locked down or deleted, I still have a version to work with. By using Hunchly and remembering to tag pictures with captions and also take notes on webpages, I have created a useful database on Hells Angels Facebook profiles. From here on, it is also always possible to go to the live versions of webpages, so any updates can also be captured within the same casefile.

If you are not using Hunchly yet, I suggest you have a look at it. The use case described above is just one of many. Furthermore, if you ever come across friendship requests from people named “AFFA” or “HAMC”, you might want to think twice before accepting them. Or else you might wind up in my Hells Angels database.

Matthias Wilson / 07.03.2019

Hijacking WhatsApp without Hacking

You don’t have to be a hacker to hijack a WhatsApp account. Simple mistakes made by your target can easily give you access to WhatsApp and other messaging apps on their phones.

When I participate in meetings, I notice that some people place their phones face-up on the table. As a curious person, I always tend to glance over at their phones whenever they light up, for instance if they receive messages. Many people actually have messages displayed on the lock screens. That means they do not have to pick up their phones and unlock them to read incoming messages. Unfortunately, this also poses a serious security threat. Not only can curious people like me read these, displaying the full content of messages on your lock screen can lead to your instant messaging accounts being hijacked. No sophisticated hacking skills are required to do so!

Imagine the following scenario:

A company CEO mainly uses WhatsApp to communicate with business partners. An attacker first obtains the phone number that is linked to his WhatsApp account. People search engines, such as Pipl, are helpful to identify a target’s mobile phone number. Using an Android VM, the attacker can then setup a fully functional Android phone on his computer, including the installation of WhatsApp. WhatsApp on the VM is then registered with a burner phone. The CEO’s phone number is added to the contacts and WhatsApp will provide a profile picture, username and status. This information is saved, as the attacker will need it later when hijacking the actual account.

As an alternative, we could also use a real burner phone or a little gimmick called WhatsAllApp to obtain the aforementioned information. WhatsAllApp is a Chrome extension, that enables you to gather WhatsApp profile pictures, statuses and usernames based on any given phone number, even without adding these to your contacts.

The next step must happen quickly and this is where it starts to get criminal. Our attacker steals the CEO’s phone and instantly registers a WhatsApp account on the Android VM (or burner phone), using the CEO’s phone number. Of course, this will only work if the CEO’s phone displays incoming messages on the lock screen. The SMS verification code is then used to register WhatsApp on the burner phone or in the VM. From now on, all incoming WhatsApp messages will show up on the attacker’s WhatsApp. This works with other messaging apps as well. Of course, the attacker cannot see the chat history, but he will be able to interact with the contacts from that point on and possibly gain vital intelligence.

Using this technique could give an attacker a 1-2 day timeframe to hijack WhatsApp and other messaging apps. As soon as the CEO notices his phone is stolen, he will obviously have his phone and SIM card locked. However, how many people would actually think about giving all their contacts a heads-up that they currently are not available? Quite a challenge without a phone.

So much for the theory behind such an attack. I have noticed that my colleague’s phone displays messages on the lock screen and his wife texts him quite often. I decided to hijack his phone this morning.

While he was in a meeting across the hall, he left his phone on the desk. I used his phone number to set up a WhatsApp account on my Android VM. The SMS verification was immediately visible on his lock screen, I didn’t even have to touch his phone.

1

After entering this code, his account was mine! Of course, I used his profile picture, username and status in the hijacked account. Shortly afterwards I received the first incoming message. It was sent by his wife, asking about their lunch plans for the day (she works nearby). I texted back and suggested pizza, upon which his wife named a meeting place and time.

2

When my colleague returned from his meeting, I was happy to inform him that he would be meeting his wife at 1230 in front of the mall and that they would have pizza.

There are several lessons to be learned here:

  1. DO NOT leave your phone unattended (especially around me)!
  2. DO NOT publically disclose your WhatsApp profile information (profile pic, username, status)!
  3. DO NOT enable your phone to display messages on the lock screen!
  4. If your phone is stolen, try to inform your contacts!

And as of now I will live in fear, because I am sure my colleague will retaliate this prank soon.

Matthias Wilson / 27.02.2019

 

Why Primary Sources Matter

Hurray! German company data is now available in OpenCorporates! Does this mean I don’t have to pay for the official company register access anymore?

This morning I confronted my boss Christian with a fact that I had found on the internet yesterday evening. Although he claimed to be the director of his company, I could not find him on OpenCorporates. For those of you who do not know what this platform does: OpenCorporates is the largest open database of companies and company data in the world. The site claims to have over 160 million companies indexed. As of yesterday, they added 5 million German companies to their database. Should I believe Christian or OpenCorporates in this matter?

When I conduct due diligence and background checks, OpenCorporates is among one of the first platforms I use. As good as it is, OpenCorporates is still a secondary source and when it comes to reliable and present-day information, I rather choose to trust primary sources.

Don’t get me wrong, secondary sources such as the aforementioned or compliance tools like LexisNexis are amazing and are really helpful to get an overview of what you are dealing with, but they all have little flaws. In some cases, the data is not as up-to-date as it should be, in other cases they are lacking essential information, such as the company shareholders. The worst-case scenario is when data is falsely aggregated during the import-process, linking the wrong entities to each other. Throughout my investigations, I have stumbled upon these issues more than once when using secondary sources.

Based on yesterday’s import of the German company data into OpenCorporates, I decided to check my own employer: Corporate Trust, Business Risk & Crisis Management GmbH. This is what OpenCorporates provided:

sources

There are some flaws in this dataset, because I am sure Christain would love to see his name in here as well. After all he founded the company and has been the director of Corporate Trust ever since. This is not just a problem within OpenCorporates, I have seen similar issues quite often in expensive commercial compliance databases as well. As you can see, the dataset is also missing information on the company’s shareholders. Even when this information is contained in compliance databases, it is sometimes outdated.

These are the reasons I always try to use primary sources, such as official government company registers, whenever possible. OpenCorporates is a great starting point to tell me where to look for more detailed information, especially since it offers the possibility to search for individuals (something that many government company registers lack), but the official company registers provides the real intelligence. This is where things can get challenging. Let us have a look at the company register in Germany, our Handelsregister. It requires a formal registration, which is only available in German. No credit card payments are possible, only direct debit. For many countries, this alone may prove to be an obstacle. On the bright side, once you have access to this database, you will gain access to the original company documents, including a list of shareholders for private limited companies.

In other countries, you can only gain access to the national company registers if you are a resident of that country and in most cases against payment. Unfortunately, nothing in life is free (except the amazing British Companies House). So when it comes to obtaining all relevant and up-to-date data, a bit more is required than just the access to (free) secondary sources.

Just to be sure about Christian, I checked our company in the official German company register. Turns out he is listed as director in the Handelsregister after all.

Matthias Wilson / 06.02.2019

How a Corporate Takeover Went into a Tailspin within Days

When companies change ownership, key employees often get busy looking for new jobs. Some also take intellectual property with them on the way out the door. Here is how a real-world case unfolded – and how investors can prevent such calamities from happening.

The moment the investment started sputtering and stalling was the day the head engineer quit his job. His resignation letter, hand-delivered to the CEO in the morning, hit the new private equity investors of the company like a bucket of ice water. They had only recently acquired the southern German plant manufacturer for a load of cash. The engineer, a key figure in the company, had assured the new owners just the day before, again, that he would stay on in the new era.

As the news of his sudden departure reached the asset managers, they instantly realized the momentousness of his decision. But before they could even discuss how to deal with the consequences, more resignations turned up within hours. Three senior sales people and service technicians quit by lunchtime, a serious upheaval in the midsized company. According to the grapevine emerging that day, they did not believe that their future was golden under the new ownership.

The acquisition had been rather expensive in the first place. It was after all a seller’s market in the German corporate world. Potential investors from all corners of the globe – Europe, the Middle East, China, the U.S. – were lining up around the block to buy up German “hidden gems”. Midsized, globally successful, family-owned businesses.

The backdrop to this phenomenon was fast-growing private wealth, which to this day has been giving private equity investments a massive shot in the arm. Whereas PE assets under management totaled approx. $ 30 billion worldwide in 1992, they had reached $ 4,000 billion (=4 trillion) by 2015, according to the private equity marketplace Palico based in Paris. By 2020, Palico predicts the PE market will have doubled to $ 8 trillion. But the demand for attractive investment opportunities already far exceeds the supply. And thus investors are jumping at the chance to snatch up, among other things, successful German engineering companies. They are seen as solid and reliable, like the plant builder in southern Germany.

iStock-1056730980.jpg

When the Music Stopped Playing

We were hired as investigators to look into the sudden personnel departures and found that the head engineer had started a new Ltd. company in a neighboring country not far from his previous job. The financier of the new venture was a local entrepreneur with deep pockets. Meanwhile, a first wave of customers began canceling their contracts with the plant manufacturer and signed up with the brand-new competition, who were offering competitive prices for their services.

We scrutinized the laptop computers left behind by the departing staff. A breadcrumb trail of bits and bytes showed that customer lists and tens of thousands of engineering documents had miraculously left the building in recent months. Most of them in the last two weeks before the resignation wave.

Also, part of a business plan was discovered, outlining the new Ltd.’s strategic direction. The document’s time stamps suggested that its creators had lied about their intentions for quite some time.

Armed with the assembled proof, the plant manufacturer filed a criminal complaint, a likely breach of competition law, with the local prosecutor’s office. The case is now a government investigation that will probably drag on for years, outcome unknown. It is unclear, too, whether the plant manufacturer’s business will continue to flourish as it did in the past forty years. All it took was a data breach and a few disgruntled key employees to turn a rock-solid investment into a liability within a few days.

Investors beware: prepare for such scenarios. Because cases like this happen every week.

Collect background information about key personnel before the takeover, so that there are no surprises. Look into the IT situation: how well protected are the company’s ‚crown jewels‘? Are there any open barn doors that may be used to squirrel away intellectual property? And finally, talk to the key personnel early in the game and keep your promises to them. They will judge you by your actions, not your words.

Sebastian Okada / 28.01.2018