The World’s Best Sock Puppet…Not!

There are lots of great guides on how to create sock puppets. Rather than showing you a good example on how to do so, this post shows a horrible example that has been used in a recent phishing attempt.

I received a request to connect on LinkedIn from what clearly is coming from a badly created sock puppet. This request is actually a cheap phishing attempt, aimed at getting a hold of my phone number. Basically, the perpetrator made every mistake in the book when creating the profile. Let me walk you through the red flags I encountered. Or: How not to create a sock puppet!

Red Flag 1:

Bad English. Have a look at the message I received.

1

When looking at the vita, it is clear that Liya Lei should have better English skills!

Red Flag 2:

No contacts (blue box). As you can see, the profile has no listed number of contacts. This is an indicator that it was just recently created or that it is not well-tended.

Red Flag 3:

UKTI does not exist anymore (red box). UKTI stands for UK Trade & Investment, a UK government department working with businesses based in the UK. In July 2016, UKTI was replaced by the Department for International Trade. Again, either this is just a bad sock puppet or an account that is not well-tended. In both cases, it does not seem trustworthy enough to hand over my phone number to.

2

There are some additional steps that can be conducted to verify accounts. The first step is, of course, running the name through Google. In our case, it did not produce any results directly linked to the person shown in the picture. Furthermore, a reverse image search should be performed as well. Forget Google, use Yandex for this. Unfortunately, neither Yandex nor Google were able to find the picture.

Another method to verify LinkedIn accounts, is searching for the person’s email. Assuming the account is real, we should be able to identify a company email address. A quick Google query reveals that the domain ukti-invest.com was among those used by said organization. Next up, run the domain through hunter.io to gain information on the pattern used for their email addresses.

3

Ukti-invest.com uses “firstname.lastname”, so we can now check if an email address belonging to Liya Lei exists. I checked the email address on verifyemailaddress.org and it clearly shows that while the domain exists, the email address we provided does not.

4

I also tried a couple variations, including different domains, such as gov.uk, as well as other naming patterns just to be sure.

Following these steps, I have pretty much proven that Liya Lei’s account is a total hoax. A very bad sock puppet set up to phish my phone number. A final note to whomever tried to fool me:

Dear Sir or Madam,

Next time try harder! There are plenty of guides out there on how to build a credible sock puppet. Your cheap attempt is actually quite insulting and did not even push my OSINT skills to a limit.

Yours sincerely

MW-OSINT / 21.01.2018

The Golden Age of OSINT is over

Change is coming and it will greatly affect the way OSINT investigations are conducted in the future. Who knows, in a couple of years completely different skill sets might be needed to handle online investigations. Are we prepared?

In the OSINT community we constantly have to deal with changes. New tools and new platforms are always on the rise, just as old platforms and tools become obsolete in an instant. Staying updated is a continuous challenge, much more than just one person can handle. Luckily, most members of the OSINT community are willing to share any new discoveries, especially on Twitter. Therefore, following the hashtag #OSINT on Twitter, as well as numerous OSINT-related accounts, is the first and most important step when working in any area that requires OSINT skills.

There is always a lot of chatter on the future of OSINT and unlike many others, I do not think that Python is the future of OSINT. Does OSINT even have a future? Let us fast forward to the year 2022 and have a look at online investigations then.

roads ends2

January 2022:

Over the past years, more and more people have been made aware of their own data privacy and this has massively changed the way they use online services. What started with the release of the ‘Snowden documents’ in 2013 and continued with massive data breaches, such as the Cambridge Analytica case made public in 2018, has led to the desire to share less information publicly. This development basically made Facebook obsolete and new platforms have arisen in its place. Although Facebook still exists, the data it contains only has historic value and cannot be used for current investigations, much like Google+ or MySpace a couple of years back. Even though Facebook tried to turn the tide by changing privacy settings, the damage done by many the data breaches was too much to convince users to maintain a presence on the platform. Nowadays, social media is more anonymous than before, modern platforms do not require or request real names and information shared is not automatically distributed publicly. For OSINT investigations, this means that a real name might not provide a starting point to search for someone online. The main starting point is now an obscured username, which is hopefully unique enough to be used in investigations. How can we identify a username, if we just have a real name to start with?

In modern social media this is almost impossible. Unlike the old Facebook, which gave us a display name and an account name (mostly based on the real name), today’s social media does not reveal the real name. So, either you know the username to start with or you are pretty much screwed. Of course, another possibility is searching ‘historic’ sites that have linked usernames to real names, such as Facebook or maybe even Twitter. There are also commercial databases and people search engines that offer these services for a small fee. However, if someone was OPSEC-savvy before 2019, he or she most likely will not be found online easily in 2022. Even with a unique username, the information that can be obtained from social networks is marginal, since everyone is well aware of their own data privacy. If you are not a part of your targets network, you will not see anything. No updates, no pictures. Even likes and other forms of indirect communication between accounts will not be publicly disclosed. This rendered many of the Python tools developed over the past years obsolete, as the data that can be scraped is mostly useless.

With that said, how does OSINT look today? In general, we have shifted from the passive gathering of information to more active means of collecting data. I call it virtual HUMINT (VUMINT). The objective of VUMINT is to infiltrate target networks during investigations in order to see information that is not openly available and possibly even interact with the target on a ‘personal’ level. Whereas sock puppets in 2019 where mainly used to gain access to social networks in general, sock pockets nowadays are needed to gain access to specific profiles of our targets and their closed networks. Now, more than ever, it is important to have lifelike and tailor-made sock puppets to achieve this objective. A blog post from 2019 is still useful and gives a good description of sock puppets and how they should be setup: The OSINT Puppeteer. Building a sock puppet for a specific account is not something that is done in a short period time, so receiving results through VUMINT takes much longer than information gathering through passive OSINT. Naturally, there is no guarantee that a target will add you to his or her network, no matter how good the sock puppet is. This means you might invest a lot of time in the creation of a sock puppet without achieving any notable results. In certain ways, it is very similar to a target-centric phishing campaign.

Another challenge in modern OSINT is the vast dissemination of unverified or untrue information on the internet. Everyone can post everything online in an instant and everyone wants to have news in a heartbeat, making it harder for press and media to thoroughly research events before releasing information. Media and press institutes that fact-check and verify first are losing the battle against quick-releasing competitors. The customer’s demand for instant information over reliable information has flooded the internet with rumors and ‘fake news’. During investigations, more and more time is spent conducting OSINT research on the credibility of data found on specific targets. Finding the original source of the information, the so-called Patient Zero, assessing its trustworthiness and then determining how and if the information can be used in our investigations. Today, it is not the actual collection of open source data that is the key, but the actual evaluation of this material.

One thing that has not changed, is the fact that the global corporations behind online platforms, and thus intelligence services, still have the possibility to use all the personal data on users however they desire. While OSINT collection and intelligence has become more challenging for everyone outside of these corporations and intelligence services, it is easier than ever for them to make use of personal data. Whether it is tailor-made advertising or extensive profiling through intelligence services, our data and of course ourselves are now more transparent than ever. There is no hiding from global corporations or intelligence services anymore if we want to use online services. Luckily (or unfortunately), the personal data is not sold or leaked as much as it was a couple years ago, limiting the benefit of commercial databases.

In 2022, the Golden Age of OSINT in investigations is over. The trends that started around 2015, e.g. automating OSINT, do not work anymore. Instead of learning how to code, maybe we should focus on social engineering a bit more. A good OSINT investigator in 2022, first and foremost, needs to be a good intelligence analyst and have some strong Human Intelligence skills.

Thank goodness it’s still 2019!

MW-OSINT / 04.01.2019

How Ray Reardon Solved a Blackmail Case

When playing snooker, you sometimes have to rely on your opponent making a mistake to win the game. When conducting investigations, we also have to rely on the suspect to make mistakes, in order to solve the case.

A while back one of our customers, a large German cosmetic company, had received threatening emails from an unknown perpetrator. This person threatened to sabotage the company’s supply chain and thus cause a production fallout. The emails where sent from an anonymous email address and we were not able to find any information on the originator through OSINT. Over the course of the next weeks, the perpetrator continued to send threats and demands in various emails. One of the demands was to transfer a large sum of money to a Bitcoin account.

Again, we went looking for information online, trying to track down this Bitcoin account. Once more, we turned up empty handed. We tried every trick in the book, including trying to lure the perpetrator into a trap using phishing emails, which only resulted in him sending the threats from different email-addresses each time.

The only consistent information was the Bitcoin wallet address and the name he used to sign the emails. This name was ‘Ray Reardon’. Judging from the content of the emails, we had a hunch that this person might actually be an insider. He apparently had extensive knowledge of the company’s supply chain and internal procedures. Knowing this, we sat down with the company’s security officer and discussed the next steps. Our technical approach using OSINT and even phishing was exhausted and we agreed upon covert investigations within the company. In the first step, the security officer identified everyone that could have the knowledge displayed in the emails. We received a list of eight employees and also some written documents from each of these employees. We compared the documents to the emails, hoping we might find specific phrases, terms or spelling mistakes that match. As with the steps before, this proved inconclusive.

The suspects worked in different shifts and the company’s employees had no access to private IT or phones during their worktime. Each employee entered and left the building through doors that only opened with their personally issued RFID tag. We pulled the login data and compared it to the times that the emails had been sent and could rule out five of the suspects, as they were definitely still in the building at their workspaces. Furthermore, we had the IT department check if any company computers had accessed the websites of the email providers used to send the threat emails. So far, we started off with OSINT, then tried social engineering (phishing) and were now down to an internal forensic investigation.

These steps enabled us to narrow down the amount of suspects from eight to three. The remaining three suspects were off duty at the time the emails had been transmitted. We started conducting intensive background checks on all three, including looking at their social media and online footprints. While the checks on two of the suspects did not provide any further leads, one check revealed that the last remaining suspect was really into snooker and competed in regional snooker tournaments. This small and seemingly irrelevant information actually helped solve the case. Remember the name used to sign the threatening emails? It turns out ‘Ray Reardon’ is actually a famous snooker player. Combined with the fact that the suspect wasn’t at work in the relevant time period, the use of the name ‘Ray Reardon’ proved to be a circumstantial piece of evidence that our customer then handed over to the German law enforcement agencies. Subsequently, it was enough to get a search warrant for the suspect’s home.

Our customer later reported that the police had found more evidence on the suspect’s computer and that he was tried and convicted for attempted blackmail.

Our investigation was the frame ball* in this case.

Snooker_Touching_Ball_Redfoto by barfisch under license CC-BY-SA 3.0

MW-OSINT / 14.12.2018

*Snooker term: the last difficult shot required to win

百度地图 – On China’s Streets with Baidu Maps

Different countries, different customs. It doesn’t always have to be Google. Today I’ll present a possibility to look at addresses in China.

Google Street View is a must-have from OSINT investigators nowadays. Especially when conducting Geolocation Verifications, this tool is a valuable asset. The overall coverage is getting better day by day and in larger cities, such as Paris and London, the Google Street View car has passed multiple times, allowing us to see changes over the years. Even in third world and emerging countries there might be a solid Street View coverage. This effortlessly enables us to have a look at a remote village in Slovakia in order to check an address which supposedly belongs to a large company.

Unfortunately, there are still many blind spots on the Google Street View map. This isn’t Google’s fault and mostly results from regulatory reasons and/or security policies in various countries.

In Germany, the main reason is the complicated relation between Germans and data privacy. Only a few major cities have Street View coverage from 2009 and lots of locations are pixeled. Germany is a digital developing country.

PNG 1Google Street View coverage for Germany compared with neighboring countries

China also does not have a Street View coverage (except Hong Kong). This has regulatory reasons. However, China wouldn’t be China, if they didn’t have a copy of Street Maps. The Chinese search tool Baidu also incorporates a map tool that has something similar to Street View called Total View. There is no complete coverage in this tool, only in the larger cities and economic centers. Investigators conducting a due diligence of new business partner in China can use Baidu Maps to verify addresses. If the address which is supposed to house a large business only shows a small newspaper kiosk, something might not be right.

PNG 2Baidu Total View coverage (blue shaded area) in and around Shanghai

The big challenge here is the language barrier. Baidu is in Chinese and the automatic translation of this site sometimes does not work properly, so we’ll have to copy and paste sections of the page to get proper translations.

You can acces the Baidu Maps by clicking on 地图 (this translates to ‘map’) at the top right of the Baidu landing page.

PNG 3

In general, this tool is built like Google Maps. On the top left you’ll see the search field (red box). On the bottom right you can choose between the different view types: Street Map (green box), Satellite View (yellow box) and Total View (purple box).

PNG 4

It is best to search with Chinese search terms when using Baido. So, if we want to search for the address of a Chinese company, we should look up the address in Chinese on the website of the company.

Let us take Volkswagen (China) Investment Co. Ltd. (大众汽车(中国)投资有限公司), for example. This company is a subsidiary of the German automotive group. On the company’s website www.vw.com.cn we’ll find the company name and address in Chinese, of course we have to use Google Translate to get this far.

After copying the Chinese address into the Baidu Maps search, we’ll receive a result. Now we can switch to the Total View mode and place the camera icon right in front of the address.

PNG 7

Just like Google Street View, we now have to possibility to pitch and turn the camera, as well as zoomin in and out and ‘driving’ along the street. In our case, we can clearly see the Volkswagen building with its logo.

PNG 8

It isn’t always this easy, sometimes you have to look around a bit on Baidu Total View to actually find what you’re looking for.

I hope this short and simple blog post can help you when using Baidu Total View. Just play around with the tool a bit to learn more. If you have any questions or remarks, feel free to use the comment section underneath this blog post.

Ingmar Heinrich / 03.12.2018

百度地图 – Mit Baidu Maps unterwegs auf Chinas Straßen

Andere Länder andere Sitten. Es muss nicht immer Google sein. Heute präsentiere ich euch eine Möglichkeit, wie man in China eine Adresse in Augenschein nehmen kann. 

Google Street View ist für OSINT Ermittler heute unabdingbar. Insbesondere für den Bereich der Geolocation Verification spielt das Tool eine entscheidende Rolle. Die Abdeckung mit aktuellem Bildmaterial wird von Tag zu Tag besser. In Großstädten wie Paris und London ist das Google Street View Car teilweise schon mehrfach durch die Straßen gefahren, so dass man sogar eine historische Veränderung nachvollziehen kann. Sogar in vermeintlichen Entwicklungs- u. Schwellenländern existiert eine solide Abdeckung. So kann ich mich problemlos virtuell in ein abgelegenes Dorf in der Slowakei begeben, um die Adresse in Augenschein zu nehmen, an der sich angeblich ein Unternehmen befinden soll.

Leider gibt es aber immer noch viele weiße Flecken auf der Google Street View Landkarte. Dies liegt weniger an Google als an regulatorischen und/oder sicherheitsbedingten Gründen in den verschiedenen Ländern.

In Deutschland scheitert es vor allem am schwierigen Verhältnis der Deutschen zum Datenschutz. Nur in wenigen Großstädten existiert aus dem Jahr 2009 veraltetes Bildmaterial, das teilweise auch noch verpixelt ist. Der Rest ist digitales Entwicklungsland.

PNG 1Abdeckung mit Google Street View (blaue Schattierungen) in Deutschland im Vergleich mit den Nachbarstaaten

Auch in China existiert keine Abdeckung mit Google Street View (ausgenommen Hongkong). Dies hat aber vor allem mit regulatorischen Auflagen der Volksrepublik zu tun. Aber China wäre nicht China, wenn es keine Alternative gäbe. Die chinesische Suchmaschine Baidu verfügt ebenso wie Google über einen Kartendienst, der ebenfalls eine Street View Variante bietet. Allerdings ist nicht das ganze Land abgedeckt, sondern bisher nur die Großstädte und Wirtschaftsmetropolen. Für Ermittler, die beispielsweise eine Due Diligence eines neuen Geschäftspartners in China durchführen, bietet Baidu somit die Möglichkeit, die Adresse vorab in Augenschein zu nehmen. Sollte sich an der Adresse anstatt der Werkshallen nur ein Kiosk befinden, sollte ich stutzig werden.

PNG 2Abdeckung Baidu Total View (blaue Schattierungen) im Großraum Shanghai

Eine große Herausforderung ist die sprachliche Hürde. Baidu ist in Chinesisch und die automatische Übersetzung der Webseite funktioniert nicht immer, so dass ich einzelne Textabschnitte herauskopieren muss.

Ich erreiche den Kartendienst von Baidu, indem ich auf der Startseite oben rechts auf地图 (übersetzt Karte) klicke.

PNG 3

Der Kartendienst ist grundsätzlich ähnlich wie Google Maps aufgebaut. Oben links befindet sich das Eingabe- und Suchfeld (roter Rahmen). Unten rechts sind die drei verschiedenen Kartenansichtsvarianten Straße (grüner Rahmen), Satellit (gelber Rahmen) und Total View (violetter Rahmen).

PNG 4

Den größten Erfolg habe ich, wenn ich direkt eine chinesische Adresse in das Suchfeld eingebe. Wenn ich beispielsweise eine Firma in China untersuchen soll, erhalte ich die Adresse sehr wahrscheinlich von der Webseite des Unternehmens.

Als Beispiel soll die Volkswagen (China) Investment Co. Ltd. (大众汽车(中国)投资有限公司), ein Tochterunternehmen des deutschen Autobauers, dienen. Auf der Webseite des Unternehmens www.vw.com.cn  finde ich unter Kontakt den genauen Firmennamen und die Adresse der Gesellschaft, natürlich unter Zuhilfenahme von Google Translate.

Den chinesischen Namen der Adresse kopiere ich in das Eingabefeld von Baidu Maps und erhalte einen Treffer. Danach wechsele ich in den Total View Modus und setze die kleine Kamera vor das Gebäude.

PNG 7

Im Baidu Total View Modus habe ich dann wie bei Google Street View die Möglichkeit, die Kamera zu drehen, herein und heraus zu zoomen und die Straße entlang zu fahren. In unserem Fall erkenne ich das Volkswagen-Gebäude am markanten Schriftzug davor.

PNG 8

Natürlich ist es nicht immer so einfach wie in diesem Fall. Sehr häufig ist es notwendig, das Umfeld der Adresse in Baidu Total View abzusuchen, um den gewünschten Treffer zu erhalten.

Ich hoffe, ich konnte mit diesem kurzen Blogeintrag eine praxistaugliche Beschreibung über Baidu Total View geben. Am besten ihr spielt ein bisschen mit dem Tool, um die Leistungsfähigkeit selbst zu bewerten. Wenn ihr Fragen oder Anmerkungen habt, dann schreibt es gern in die Kommentare.

Ingmar Heinrich / 30.11.2018

The Nexus Analyst: Understanding your Customer’s Requirements

Nexus is ‘an important connection between the parts of a system’, according to the dictionary. In an intelligence environment, OSINT has the same function. Another example of how OSINT can provide important leads for HUMINT and SIGINT in Afghanistan.

Open Source Intelligence (OSINT) is all about perseverance and following bread crumbs that lead to key findings. To be honest, you won’t always find the smoking gun and in some cases you might miss it. That’s one thing I have learned: No matter how hard you look, you are always likely to miss out on something. That is why the OSINT community on Twitter is so important. New tools and techniques are shared there and help broaden your own set of skills on a daily basis. Another important lesson, is to always have clearly defined objectives, the so-called Key Intelligence Questions (KIQ), when conducting OSINT research. What specifically is your intelligence customer asking for? This means you have to understand the ultimate goal and your customer’s mindset to a certain extent.

My concept called Interdisciplinary Intelligence Preparation of Operations (I2PO) relies on OSINT to support other intelligence collection types (ICT), such as Signals Intelligence (SIGINT) or Human Intelligence (HUMINT), and vice versa. Therefore, the OSINT analyst must understand the specific requirements for each ICT. If you deliver a phone number or email address to a HUMINTer, he might give you puzzled looks. Again, I would like to demonstrate my point with an OSINT case that might easily happen this way in military intelligence and intelligence services. In a previous blog post, we had HUMINT information as a starting point for OSINT. This time, we have a couple of Key Intelligence Questions.

Imagine we are forward deployed OSINT analysts in Afghanistan. We not only provide information on the general situation in our area of operations, but also support the adjacent HUMINT and SIGINT teams. Our HUMINTers want to know a little more about the family ties of their intelligence targets and the networks surrounding these people (KIQ 1). The SIGINTer just needs some selectors such as phone number and email addresses, which he could task in his SIGINT systems (KIQ 2). One of the intelligence targets happens to be Mohammad Atta Noor, a key power broker in Northern Afghanistan.

We start out with a simple Google search and we soon find an interesting site containing bios of Afghan VIPs: afghan.bios.info. The entry on Mohammad Atta Noor is quite detailed and also reveals the name of one his sons, Tariq Noor.

Next up we conduct a Google search on Tariq Noor in combination with the name of his father. This leads us to Tariq’s Twitter account, where he is pictured together with his father.

1.png

Twitter also suggests further accounts to follow, one of them being Khalid Noor. It turns out that this is another son of Mohammad Atta Noor.

2.png

So far, we have names and pictures of two sons. Knowing that Mohammad Atta Noor has even more children, we could continue our search and identify the other children, while trying to obtain pictures and more data on them. However, let us focus on Tariq and Khalid first. As their father is a successful businessman, it is likely that his sons have businesses of their own, or are maybe even connected to their father’s companies.

To check this, we again have a look at the Afghan company register (www.acbrip.gov.af). Since we cannot search for individuals here, we assume that Tariq and Khalid have companies named after themselves. This search within the Afghan company register produces good results. The first result when looking for Khalid Noor even gives us the phone number of Mohammad Atta Noor and a bit of his family history with the names of Mohammad Atta Noor’s father and grandfather.

3

Mohammad Atta Noor is the president of the Khalid Noor LTD and states his father’s name is Haji Noor Mohammad and his grandfather’s name is Mirza Mohammad Gul. In Arabic and Central Asian countries, this information is valuable when distinguishing same-named persons. A look into the shareholders of this company reveal not only that Khalid is a shareholder, but also mentions other business partners (and their family history, as well as phone numbers). All this information helps build a network chart including the relevant family ties. This is the information our HUMINT team was looking for (KIQ 1). Of course, the phone numbers answer the Key Intelligence Question our SIGINT Team had (KIQ 2). A query for Tariq Noor produces similar results, including phone numbers of Tariq and his business partners.

4

All in all, following OSINT bread crumbs led to amazing key findings. Now this information can be used for HUMINT operations, when trying to infiltrate the networks around Mohammad Atta Noor and, as mentioned, also to task SIGINT operations. A perfect example of I2PO!

In conclusion, this way to work makes me refer to an OSINT analyst within military and intelligence services as a ‘Nexus Analyst’, an analyst in between ICTs. Someone that knows what HUMINT or SIGINT really need to conduct their missions successfully and who takes this into account when browsing the web.

MW-OSINT / 28.11.2018

I2PO – From HUMINT to OSINT to SIGINT

Sometimes even seemingly irrelevant information leads to key findings. In this case, the mere existence of a company led to unraveling the phone number of the son of Afghan Vice President Abdul Rashid Dostum.

Interdisciplinary Intelligence Preparation of Operations, I2PO, is a concept on combining the different types of intelligence collection to achieve the best results. In the following example, I will demonstrate a perfect case of an intelligence workflow that starts with Human Intelligence (HUMINT), utilizes Open Source Intelligence (OSINT) and lastly provides leads for Signals Intelligence (SIGINT).

Imagine you are part of a SIGINT team, dedicated to Afghan politics. While reading some HUMINT reporting, you come across a report regarding Batur Dostum, the son of the Vice President of Afghanistan, Abdul Rashid Dostum. The report informs about Batur’s businesses in Northern Afghanistan. One of the businesses mentioned is Batur Mustafa LTD.

This provides a starting point for OSINT research. While googling this company will not produce any notable results, a query within in the Afghan Central Business Registry (ACBR) might lead to some useful information. Luckily, the database in is English, so we will not have to use any translation tools. The ACBR database does not enable you to search for individuals, but we have the company name.

1

The result of this query gives us plenty of relevant data. Not only do we receive information on the company itself, but also on its shareholders and their personal data. This includes names, father names, phone numbers and residencies.

2

This is our target! Batur Dostum, the son of Abdul Rashid Dostum. He owns 50% of the company shares and his phone number is listed. The next step would be to task his phone number in our SIGINT collection. While we are at it, we should also task the phone number of the other shareholder and vice president of the company.

3

It is highly likely that this phone number might also produce decent SIGINT results.

As you can see, a piece of information that might seem irrelevant to start with led to a key finding and the possibility to enable further intelligence operations.

MW-OSINT / 19.11.2018

It’s a Match! Combining Tools & Methods for Email Verification

Email permutators and the browser extension LinkedIn Sales Navigator have been on the market for quite a while. Both are among the basic tools of trade for marketing and sales. Combined, they make a powerful OSINT tool for email verification.

Let’s imagine the following white-collar crime scenario. We are investigating a fraud case and screen one of the suspects: Fritz Marchow. He has a LinkedIn profile but what we do not know is his email address.

Most people use rather unsophisticated email addresses based on a variation of variables such as firstname, lastname, middle and nickname or the respective initials and use a common email provider. Therefore, it is not rocket science to guess these combinations.

An email permutator will do most of the work and, hence, save us a lot of time. Our tool of choice is Email Permutator+, since it allows us to permutate addresses for three domains at the same time.permutator

We fill in the information we have: our suspect’s first- and lastname. We choose the domains manually. We start with gmail.com and yahoo.com and pick outlook.de as the third option, since our case is set in Germany. The tool permutates 102 email addresses, waiting to be copied to our clipboard.

permutator2

We have already installed the LinkedIn Sales Navigator for Gmail Lite browser extension from the chrome web store. Now all we have to do is open our Gmail account and paste the copied list in the ‘to’ field of an email that we are composing. While we hover over the addresses with the cursor, we see the details appear in the Sales Navigator sidebar on the right.

permutator3

It’s a match! Hovering over fritzmarchow@outlook.de the Sales Navigator shows the LinkedIn profile that belongs to this address. We now have our suspect’s confirmed email address. If there is no matching LinkedIn profile for one of the addresses we are hovering over, the Sales Navigator will show that.

On a side note: Hovering over any Gmail address will also reveal a corresponding Google account with first- and lastname and the profile picture or an initial in case no picture has been added. This is an easy method for verifying gmail addresses. Sometimes this also works for other email providers as well, such as Hotmail.

In our case, we have another match hovering over fritzmarchow@gmail.com. Recognizing the same profile picture he used for LinkedIn we now have a second email address that can be attributed to our suspect.

permutator4

Email permutation has its limitations. It can only use a number of preset variables. As with most OSINT tools: Combined with the LinkedIn Sales Navigator it will most likely not solve your case. However, it adds another puzzle piece. In the end, many of those make up an overall picture.

It is worth mentioning that this tool ONLY uses publicly available data and it cannot help finding the email address of people who want to keep it hidden.

Sebastian Schramm / 16.11.2018

Learning from Aircraft Spotters for Competitive Intelligence

Aircraft spotters use tracking sites to obtain information on flight paths, enabling them to take pictures of aircraft taking off or landing at airports. Did you know that these tracking sites and methods could also be useful when conducting OSINT investigations?

Today I would like show another aspect of OSINT when it comes to competitive intelligence (CI). Wikipedia defines CI as ‘the action of defining, gathering, analyzing, and distributing intelligence about products, customer, competitors’ in order to support decision making processes in companies. Depending on the actual case, we will do research in a variety of different sources, ranging from company databases, to credit rating services, and in some cases even deep-dive into social media. However, every once and while we might have to look into something more exotic.

The following case is completely fictional, but could easily take place as described.

German Special Forces are currently looking for a new light support helicopter. Two companies are in the race for this very lucrative contract: Airbus with its new H-145M design and a second company, which employs us to gather information on the Airbus product.

One of the key intelligence questions our customer wants us to answer is about the performance of the H-145M. We find out that Airbus conducts its testing at the airfield in Manching near Munich, Germany. Whenever aircraft fly through public airspace, they are required to switch on their ADS-B systems, which allows them to be tracked, avoiding collisions with other aircraft and thus ensuring flight safety. I would like to point out, that certain military or government flights are conducted without enabling ADS-B tracking. Another relevant point is that the tracking depends on a network of mostly private ADS-B receivers and is lacking full global coverage. However, Germany has a pretty decent coverage.

Using ADS-B tracking sites such as flightradar24.com, we can collect data on any relevant flights. As an alternative, we can also buy our own ADS-B tracker for as little as 20 euros and set it up in the vicinity of the airport. This information could prove valuable to our customer, when assessing the overall performance of the competitor’s product.

Today happens to be one of the test days and two helicopters take off from the airfield in Manching. These two are the pre-series H-145M models that we are looking for. For future reference, we can always identify them by their registration numbers.

1

Registration details a H-145M

The following picture shows the flight path during these tests. Looking at the flight path might give an indication on what exactly was tested.

2

We also obtain detailed information regarding the speed and altitude of these flights. This might lead to clues on the peak performance values.

3

Of course, our work does not end here. We continue to track every movement of the two identified helicopters. Future operations might even include getting high-resolution videos or photos of the helicopters and maybe even HUMINT to receive a couple more details.

This scenario unravels just one of the ways in which data from ADS-B tracking sites can be utilized. It can also be helpful when tracking specific flights or monitoring smaller airfields to find a specific plane. In the future I will provide another case in which the tracking of an airplane led to an important intelligence finding.

Until then, why you don’t you have a look at the traffic above yourself!

MW-OSINT / 08.11.2018

Harvesting Intel on India’s Nuclear Command – When OSINT meets SIGINT

Using OSINT to enable SIGINT. Imagine you are a SIGINT analyst keeping track of India’s nuclear forces. Luckily, you have some OSINT skills, which enable you to find selectors related to the former commander-in-chief of these forces. This could be a door opener to the current leadership…

So far, I have written short posts on how OSINT can support military decision makers as well as being a vital part of HUMINT operations. The key statement is that each intelligence collection type (ICT) requires a certain amount of OSINT to successfully prepare and conduct operations. This is a concept I call ‘Interdisciplinary Intelligence Preparation of Operations’, in short: I2PO.

One of the most secretive ICTs is Signals Intelligence (SIGINT). In many cases SIGINT services or SIGINT branches within services are isolated from other ICTs, thus making a cooperation between them challenging. This is one reason why SIGINT should incorporate dedicated OSINT capabilities, especially when doing preparatory research on new target areas or specific target decks.  On the one hand, OSINT could provide general information on the telecommunications infrastructure of a target area and on the other hand, OSINT could actually provide valuable selectors to task.

There are many different ways on how to support SIGINT with OSINT using the vast variety of OSINT tools and skills. In the following example, I would like to point out how to acquire additional selectors for a certain target deck.

Let us assume we are SIGINT analysts working on the India target desk, specifically the desk tasked with conducting SIGINT against India’s nuclear forces. A country’s nuclear forces are among the most highly protected and secretive assets. Finding SIGINT leads and selectors to gather credible information is an almost impossible task in this context. I assume the direct communication of these forces is secure and hardened. As a result, collecting official military communications from their dedicated channels can be ruled out. What other chances do we have to gather intelligence on our target?

SIGINT, as all other ICTs, feeds off mistakes that our targets make. If people were OPSEC-aware, we would not find so much information on the internet, HUMINT sources would not be so talkative and eavesdropping in on communications would not reveal that much. With this in mind, let us find a hands-on, doable approach towards our target. Sometimes people use non-secure communications to transmit confidential information. Our targets might do the same. So our first step would be to identify targets and their non-official selectors, hoping these could be tasked and provide valuable intelligence.

Unfortunately, none of the current leadership of India’s nuclear forces, the Strategic Forces Command (SFC), is overt enough to provide us with additional non-official selectors. To start, we look at the former leadership, expecting that they might still be in contact with some of the current administration. Press reporting indicates that the previous commander in chief of the SFC, Lieutenant General Amit Sharma, handed over his command in July 2016. This is close enough for us to assume that General Sharma will still occasionally get in touch with his former comrades.

Next up is an extensive Google search on General Sharma. As a high-ranking former member of the military, he might have directorships or board memberships in civilian companies. In our case he does not, so searches in company databases remain negative.

One of my favorite Google dorks is ‘filetype’, specifically looking for PDFs or PPTs. PDFs and PPTs often contain a lot of information, which helps give an overview of the target and sometimes provides leads for further research.

india google results

This search results in several hits, mainly being studies and conferences in which General Sharma participated. However, the first hit is actually the gold nugget we have been looking for. In India, the Department of Public Enterprises hosts a database containing former CEOs, directors and government officials; including short résumés.

Let’s have a look a General Sharma’s résumé:

bio data

Now we have a private email address and a mobile phone number belonging to General Sharma. These two selectors are tasked and a metadata analysis is conducted on both. Maybe he is in contact with his old comrades in the Strategic Forces Command. This is the door opener we needed to successfully approach our goal. We can also look up the address, which seems to be his home address. Sometimes this will also lead to further selectors.

I also hope that General Sharma did not use Dropbox to save the nuclear launch codes. Haveibeenpwnd lists his email and password as one of those hacked in the Dropbox data leak mid-2012.

As this examples shows, it is essential for SIGINT analysts to include OSINT research into their daily workflow.

Disclaimer: Although the data shown is real, the complete scenario described here is fictional. I have no idea if this information is known or used by intelligence services, nor do I have any insight on the assumption that India’s Strategic Forces Command is an intelligence target.

MW-OSINT / 08.10.2018