Be careful what you OSINT with

There are lots of neat OSINT platforms out there to make your life easier. But how many of you vet the software before using it? Not every platform should be entrusted with sensitive data as this case reveals.

In January 2019 I was tagged on Twitter, asking for my input on an OSINT platform named Lampyre. Before I use any type of software, I try to vet it as good as possible. This includes OSINT research on the company, asking tech-savy people I know for their opinion and ultimately reaching out to the company itself. No one had really heard of the software at that time, no one was using it, and I couldn’t really find much background information online. I ended up contacting Lampyre and asking them where they came from, what their background was and a couple of other questions. Unfortunately, they only sent evasive answers. They wouldn’t even tell me which country they were based in. I tried the software on one of my VMs and tested it with fake or non-relevant data. To be honest, I did like what I saw, but I decided not to use it operationally. As time passed, I noticed that many OSINTers started using the software and decided to have another look into the company and people behind it. It turns out, I was right not to use this platform. Lampyre isn’t who they claim they are. I teamed up with several helpful elves (to be honest, they did most of the work) and we found some pretty disturbing information.

Lampyre is apparently made by a company in Budapest (Hungary) called Data Tower. The company itself was registered in February 2019 and the CEO and sole shareholder is Laszlo Schmidt. The original address used to register the company leads to a law firm and the phone number that Data Tower provides belongs to another law firm in which Laszslo Schmidt is working as a lawyer. This information points to the fact that Data Tower is merely a shell company. So, how do you we get to the people behind Lampyre?

Looking into their online presence doesn’t lead to any notable individuals either. Some of the names used, such as John Galt, are most likely pseudonyms or fake accounts. Since searching for people didn’t provide any leads, we decided to look into the traffic that Lampyre sends to its back end in each query. The queries contain a brief description on what is requested and apparently the local language used by the developers is Russian, as each description is written not only in English but also in Russian.

Why should a company based in Hungary use Russian as their local language setting? Of course, the developers could be Russians working in Budapest, but again something just doesn’t seem right here: an organization that shows signs of being a shell company, the lack of transparency when directly confronted and now indications that point towards Russia. Decompiling the software showed further Russian language embedded in the code:

While this was being done, more OSINT research revealed a person named Andrey Skhomenko. This guy posted Python modules for Lampyre on Github and knew about the product in March 2018, way before it was released to public in October 2018. Andrey is based in Moscow and used to have a LinkedIn profile as well (which has been deleted in the meantime).

According to his LinkedIn, Andrey worked for the Russian Federal Security Service (also known as FSB) in the past and is now working for a company called Norsi-Trans. Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government. It turns out that Norsi Trans also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

The overall look of this platform reminded me of something I had seen before. Oh, that’s right! Both Lampyre and Vitok-OSINT have that Win95/Win98 appearance, not only in the network visualization, but also the software itself.

So far, this was just a gut feeling. Could anymore evidence be found that would link these two products and thus Norsi Trans and Data Tower? You bet? We pulled the certificates used by Lampyre and saw that they were registered in Russia and even more compelling: one of the certificates made a direct reference to Vitok.

This was the final nail in the coffin. Lampyre and Norsi Trans are in fact connected! While there is still plenty to be discovered, I think we have proof that Lampyre and Data Tower are not fully honest. And as everything you query in Lampyre is probably sent to Russian servers, I am happy I decided not to use this tool in my private and professional investigations. After all, Russia mandates decryption for domestic services.

Maybe Lampyre is Norsi Trans’ attempt to sell their software in the western world, maybe it is a rogue operation by a Norsi Trans employee (or a few). Although, I personally have doubts about that second theory. The software is quite powerful and receives regular updates. To create something like this, you’d surely need more than one person and having a rogue team within a company try to pull this off would surely not go unnoticed. What I find most interesting, is the fact that Andrey stated he had worked for the FSB. To put it in the words of one of my former colleagues: You don’t leave Russian intelligence services, you just change your cover and continue working for them.

MW-OSINT / 23.03.2020

The Importance of Grammar in Forensic Linguistics

Commas matter and grammar matters. Especially when you deal with threat letters, poison pen letters or even ransom notes. In this case, grammatical errors, misspellings or unique writing styles might reveal the person behind the mischievous texts. Are you dealing with one author or multiple individuals? Can you link these letters to other reference documents, e.g. internal employee emails? The art of analyzing written documents in investigations is a subset of forensic linguistics.

While I won’t go through any real examples in the following article, I would like to share my experience when dealing with such cases. First up, I won’t even try to get into graphology. This is the analysis of handwriting, in an attempt to evaluate personal characteristics or the psychological state of the writer.

Graphologist: “The author is a male and he is very angry, possibly holding a grudge against the recipient.”

Intel analyst: “No shit, sherlock. The handwriting is sloppy and why else would he write a poison pen letter?”

The most important tool for me is a set of highlighters. If dealing with multiple documents, I found it easer to print them out and to mark peculiarities with the highlighters and also add handwritten notes of my own. I use different colors for different categories. One for spelling mistakes, one for grammatical errors, one for the use of uncommon words or unique word-creations and lastly the final color for certain style elements.

Let’s start off with the first category: spelling mistakes. Many people have distinct spelling mistakes they constantly make. And not always will they recognize mistakes when proof-reading their own work. Sometimes these mistakes might also indicate if the author is a native speaker or not. A German writing an English text might automatically use Telefon instead of telephone. Furthermore, many languages capitalize nouns, so look out for this as well. Other spelling mistakes may derive from auto-correct functions in office. When I open Word, it assumes I’ll write in German and does the autocorrect based on the German dictionary. Newer versions of Word notice I’m typing English after about one sentence and then automatically adjust, older versions might need a manual reset. When typing or writing quickly, one may produce clerical errors, such as forgetting letters, adding letters or switching letters. In this case, always check to see how letters are allocated on the keyboard to understand the origin of these typos. Keep in mind that different countries use different keyboard-layouts!

The next one is a bit more tricky. I have to admit, my grammar isn’t the best. I usually just know that something looks weird, without being able to grasp the actual reason or grammar rule. So, in this phase of investigations I often google certain grammar rules to make sure my hunch was right. From simple things such as mixing up your and you’re, to the inproper use of commas, there are many different errors that might show up in multiple documents. One important thing to remember is, that it will be the sum of indicators that lead to successfully solving the case. It most likely won’t just be one blatant error.

Depending on an individual’s background, they may have a different spelling of words. It may vary between British or American English, it may contain colloquial terms or even slang and different dialects. Everything that differs from the standard form of writing in the specific area you are working in, should be marked with a highlighter. Using modern-day slang might indicate a younger person, old-fashioned terms will probably not be used by a kid. I once had a case, in which the author creatively invented new curse words I had never heard of before. Some of them where so hilarious, I actually added them to my personal vocabulary. Another example would be the use of local dialect. In Germany bread rolls are named differently in many regions: Brötchen, Wecken, Semmel, Schrippe, Krossen, Normale, Rundstücke; these are all the same thing! I’m sure similar examples can found in other languages and for more relevant terms as well. Try to figure out which region the word originates from. Again, a little googling can be helpful here.

Next up, concentrate on the style of writing. Is there anything that sticks out? Specific punctuation, such as the frequent use of exclamation marks or multiple dots…. Also, concentrate on the sentence structure. Is the author using short sentences or is he fond of long-winding sentences? Does the whole document read as if it were written by the same person? A shift in style may indicate that some part was copied from another document. Finally, have a look at the format: font, size, line spacing, alignment. After marking all documents according to the above points, it’s time to spread them out and get a birds-eye view of all of them. Sometimes, this will reveal more similarities or conspicuous features shared by multiple documents.

Now, for the most important aspect: Assume your adversary, the author, is well aware of his distinct mistakes and style of writing! He might try to deceive us. Changing the usual format, by using odd fonts or changing the alignment are easy to recognize, but sometimes an author will substitute some of his unique identifiers with another. Mostly by doing the exact opposite of what his style of writing is usually known for. Someone that uses long and complex sentences might break these down into short and concise sentences, making the letter look more like an old telegram. Obvious spelling mistakes might be implemented as well, to put us on the wrong track. However, anything that is deliberately done will likely follow a certain pattern. It is our job to identify this pattern.

Of course, there is much more that can be done when handling cases like these. Analyzing handwriting by overlaying different sets of handwritten words on each other is one technique that might help. This works really well in MS Office, since the office suite has some pretty impressive features to handle images. Furthermore, fingerprint identification (dactyloscopy), analyzing the paper, trying to trace back emails; a broad variety of methods can be applied here. Maybe even the graphologist, if you’re that desperate. As with all intelligence analysis, it is important to never fully rely on just one method. Combine what you have at hand to achieve the best result.

After this brief introduction to the topic of forensic linguistics, I will prepare an example for a future article, highlighting the aforementioned. I just have to figure out who I want to blackmail or send a poison pen letter to. Maybe one of the scammers from a previous project.

MW-OSINT / 01.10.2019

How Ray Reardon Solved a Blackmail Case

When playing snooker, you sometimes have to rely on your opponent making a mistake to win the game. When conducting investigations, we also have to rely on the suspect to make mistakes, in order to solve the case.

A while back one of our customers, a large German cosmetic company, had received threatening emails from an unknown perpetrator. This person threatened to sabotage the company’s supply chain and thus cause a production fallout. The emails where sent from an anonymous email address and we were not able to find any information on the originator through OSINT. Over the course of the next weeks, the perpetrator continued to send threats and demands in various emails. One of the demands was to transfer a large sum of money to a Bitcoin account.

Again, we went looking for information online, trying to track down this Bitcoin account. Once more, we turned up empty handed. We tried every trick in the book, including trying to lure the perpetrator into a trap using phishing emails, which only resulted in him sending the threats from different email-addresses each time.

The only consistent information was the Bitcoin wallet address and the name he used to sign the emails. This name was ‘Ray Reardon’. Judging from the content of the emails, we had a hunch that this person might actually be an insider. He apparently had extensive knowledge of the company’s supply chain and internal procedures. Knowing this, we sat down with the company’s security officer and discussed the next steps. Our technical approach using OSINT and even phishing was exhausted and we agreed upon covert investigations within the company. In the first step, the security officer identified everyone that could have the knowledge displayed in the emails. We received a list of eight employees and also some written documents from each of these employees. We compared the documents to the emails, hoping we might find specific phrases, terms or spelling mistakes that match. As with the steps before, this proved inconclusive.

The suspects worked in different shifts and the company’s employees had no access to private IT or phones during their worktime. Each employee entered and left the building through doors that only opened with their personally issued RFID tag. We pulled the login data and compared it to the times that the emails had been sent and could rule out five of the suspects, as they were definitely still in the building at their workspaces. Furthermore, we had the IT department check if any company computers had accessed the websites of the email providers used to send the threat emails. So far, we started off with OSINT, then tried social engineering (phishing) and were now down to an internal forensic investigation.

These steps enabled us to narrow down the amount of suspects from eight to three. The remaining three suspects were off duty at the time the emails had been transmitted. We started conducting intensive background checks on all three, including looking at their social media and online footprints. While the checks on two of the suspects did not provide any further leads, one check revealed that the last remaining suspect was really into snooker and competed in regional snooker tournaments. This small and seemingly irrelevant information actually helped solve the case. Remember the name used to sign the threatening emails? It turns out ‘Ray Reardon’ is actually a famous snooker player. Combined with the fact that the suspect wasn’t at work in the relevant time period, the use of the name ‘Ray Reardon’ proved to be a circumstantial piece of evidence that our customer then handed over to the German law enforcement agencies. Subsequently, it was enough to get a search warrant for the suspect’s home.

Our customer later reported that the police had found more evidence on the suspect’s computer and that he was tried and convicted for attempted blackmail.

Our investigation was the frame ball* in this case.

foto by barfisch under license CC-BY-SA 3.0

MW-OSINT / 14.12.2018

*Snooker term: the last difficult shot required to win