The Impact of OSINT on Christmas

Proper intelligence is vital to prepare military and law enforcement operations or to provide information to political and business leadership prior to decision making. However, these are not the only people relying on good intelligence to get the job done. I had the honor of interviewing a very special person on his views of intelligence and how his organization utilizes it for one of the most challenging tasks known to mankind.

Sir, it is such an honor to have you here. Tell us a little about yourself. What exactly is your job and how does it involve intelligence work?

I go by many names, but please just call me Santa. I am in charge of a large organization tasked with bringing joy and fun to children worldwide on Christmas Eve. While I’m pretty sure you all know what I do during the Christmas night, not many people know what happens prior to this.

My organization and I have roughly 24 hours to deliver presents to children who deserve them. In order to accomplish this, a lot of planning is necessary and this planning is based on the information I receive from an intelligence agency within my organization. In Santa’s Secret Service, or S3, we mainly conduct GEOINT along with OSINT to make sure everything runs smooth on that one special night. Oh, and don’t confuse us with the Amazon web service.

Santa, while most of my readers are acquainted with terms such as GEOINT and OSINT, could you please explain what they are and possibly provide a use case from your organization.

Sure. I only have a limited timeframe to make sure I deliver everything to the right address. The route I take has to be carefully planned. The number of children on this world is steadily growing, more deliveries leave less room for mistkes. Even though my sleigh travels at an incredible speed…

How fast and how does that work?

I’m afraid that is classified. In order to properly plan the route, I rely on precise satellite imagery and maps. Imagery and maps from search engine providers are not up to date and commercial satellite imagery is not detailed enough. Keep in mind, my team has to figure out the best way into a chimney. We need a resolution of less than 0.3m to do so. Before Christmas, my sleigh is outfitted with an ultra high resolution imaging system and flies several sorties. While the actual collection of the imagery does not take that long, creating maps and the final route based on this is a bit more time-consuming. The whole process I just described is referred to as geospatial intelligence, or GEOINT.

Wow, that alone is probably a large amount of data collected each year. How do you process such massive amounts of data?

We have our own server infrastructure at S3. Located in vicinity of the North Pole, our energy consumption is lower than usual, because we have a natural cooling system.

What happens after you have mapped the world?

I forgot to mention one thing. In order to plan the route, we need to know who will receive a delivery. Luckily, I have information on the address of each child from a classified source. But, does this child even deserve anything? We have to figure out who was naughty and nice. A lot of this is done through open source intelligence, or OSINT.

While we could use classic signals intelligence (SIGINT) to tap into communications and try to answer the question who is naughty or nice, we have found that OSINT provides the best “bang for the buck”. S3 has a very large team of OSINTers, who mainly monitor social media activities.

What exactly is your team looking into?

My OSINTers start off looking into profiles of the children, but not only to see how they behave. Depending on the region they live in, the platforms they use will differ. From Ask.fm to Weibo, there are many differnt sources to look at. We have seen TikTok blow up over the past months, but we also still obtain a lot of information from “older” platforms such as Facebook and Pinterest. These platforms also provide leads on the interests of our targeted subjects, which enables my organization to match them with the perfect present. We not only look at the children, but also monitor profiles of their family and friends, since relevant information is hidden here as well. As you can see, this is all a very deep intrusion into personal privacy. Therefore, we have very strict rules on how to handle this data, a massive auditing and compliance system and constant trainings for my team. If you thought GDPR was challenging, you wouldn’t want to know how much effort we put into protecting the privacy of our subjects!

Many children nowadays are active in closed communications, such as messengers, or they have restricted public access to their acounts by changing their privacy settings. How do you cope with this?

There are two different approaches we can take here. The first one is what you would call virtual HUMINT, or VUMINT. We try to place someone within a closed chat group using a false persona. For example, a group of friends has a WhatsApp channel with 20 participants. Using OSINT, we create a sock puppet credible enough to be invited into this group. In cases in which this works, we then can then instantly monitor 20 people. Of course, such actions are subject to much stricter rules and regulations that normal OSINT and are not performed often.

The second approach would be a classic computer network operation, or “hacking” an account. This is very rarely done and the methods and techniques are highly classified.

What about children who don’t have access to modern communications?

In this case, we rely on classic human intelligence, or HUMINT. Throughout the world, we have a network of sources directly providing us information. A lot of this is hearsay, so we try to confirm information with other sources before processing it. This actually also applies to data won through OSINT.

However, I would like to point out that at the end of the day we will never gather everything on everyone. Have you ever wondered why a spoiled and misbehaved child you knew received a nice present anyway? No matter how much effort we put into intelligence collection, there will always be a delta between what information is out there and which information we have obtained. I think that is the nature of intelligence work in general.

Circling back to OSINT, how does S3 ensure that they are up to date on new tools and techniques?

We do OSINT to enable OSINT. Of course, we follow #OSINT on Twitter and we also have someone monitoring osint.team as well as various blogs such as osintcurio.us and your blog.

Wow, I’m honored to have made it on S3’s reading list. I know you are quite busy, so we can wrap it up here. Is there anything else you would like to add?

Merry Christmas, happy OSINTing and I wish you all the best in 2020!

MW-OSINT / 22.12.2019

Unravelling the Norton Scam

It all starts with a bad sock puppet

If you have problems with Norton 360 or Norton Antivirus, please do not call +1-844-947-4746. You might end up with malware on your computer.

Do you have a look at the accounts that connect with you on Twitter or Medium? I do, and so does my buddy Sector035. In late April 2019, a new person followed Sector’s blog on Medium and he had a look at this new follower.

A weird URL? A nice picture of a female named Pierre? This profile was begging for further research. The URL led to a tech-support site that listed the following phone number: +1-844-947-4746. Sector didn’t even wait to check this number on his computer and immediately googled it on his cell phone. I guess that’s what you call OSINT curious.

It turns out that this phone number was listed on numerous obviously fake sites and blog posts offering tech-support. Out of curiosity, we decided to take a closer look at some of the sites, in order to see how they were connected to each other and possibly find out who was responsible for creating them. At the time we had no idea how time consuming and big this project would be! Among the sites using the phone number, we initially concentrated on these four:

Each site looked worse than the other. Horrible design, bad English and next to the aforementioned phone number, they all used the same address:

While Sector started to check the WHOIS information using DomainBigData, GoDaddy and Whoxy, I looked into to Google Street View and did a little reverse image searching on the photos. It turns out that all the photos used were either stock pictures or stolen off other people’s social media profiles and the address itself was in an inconspicuous housing area. Googling the address led us to more suspicious sites, some of them using a different phone number. Among these was one belonging to a company allegedly called Energetics Squad LLC. No records existed for such a company in the State of Illinois, nor in any other state. Keep this company in mind, as it will show up in a later blog post as well!

The WHOIS check didn’t always provide the exact name of the registrant, but we found another similarity: most of the websites had been registered around March 13-14, 2019 in India.

Using DNSLytics, Sector also checked the Google Analytics ID and found that the sites were not only linked by all of what was described above, they also shared a common tracking code (UA-code). At this point, it was time to start linking the information in Maltego.

What started with a bad sock puppet, led to googling information and from there to a deep dive into domain data, Google Analytics research, as well as pulling corporate records from official state registries. The hunt was on and upon finding all this correlating data, we couldn’t just let go and decided to push forward.

The Art of OSINT

Art is often considered the process or product of deliberately arranging elements in a way that appeals to the senses or emotions. OSINT is art and sometimes OSINT produces art.

This is big! We collected information on hundreds of different entities; including websites, names, phone numbers, email addresses and much more. When we started, relevant data was just dumped into a text file. To give you an overview of how much we collected and how much time and effort we spent on this project, Sector put together a little infographic.

We also used Hunchly during our collection and then realized we needed to structure the most important data and moved on to a spreadsheet. This worked for a while, until we felt the need to display links between entities in an easy and understandable way. A more visual approach was chosen, and Sector started what I call “The Art of OSINT”: a link chart.

Sector used Maltego for our case, but there are many alternatives you can use as well. I have grown fond of draw.io and others might use one of the various mind mapping apps and platforms. The idea behind link analysis in general is to evaluate relations and connections between entities. Link charts are the visualization of this data, which in many cases make it easier for an analyst to discover connections. Sometimes the connections are not direct, but indirect, linking entities to each other by a third-party individual.

Let us take a look at how link charts can be built from scratch. I previously mentioned a screenshot of one of the scam sites.

This site already has multiple pieces of information that can be connected. A name, a postal address, a phone number and lastly an email address. Each of these is the starting point for further OSINT investigtions. We found that the email address was used to register the domain allbagmanufacturing(dot)com. This domain also lists an Indian phone number in the WHOIS data.

It turns out, that the Indian phone number was also used to register the site roadrunneremailsupports(dot)com.

In conclusion, both sites are likely connected. However, how do we know that this phone isn’t just a burner phone or a random phone number? More OSINT research is required to verify if the phone number is existent and who it belongs to. I also mentioned a little social engineering coming up, didn’t I? If you were hoping to read about this topic now, I have to disappoint you. Rest assured, we have a nice story on social engineering later on. Now, let’s get back to our link analysis.

One piece of information leads to another and soon we find new leads and many connections between the entities. The chart itself has grown quite a bit in the meantime. At first glance, it will seem a bit chaotic. However, it is still easier to handle than relaying this information in a text-based form. For me, link charts have an artistic character. Each chart, whether built manually or automated, is one of a kind. Unique data, unique arrangements, all coming together to form a piece of modern art.

Put this on a large canvas, have Sector sign it and it would be something that could be found in the Guggenheim Museum of Modern Art. One day I plan to do exactly that. A vernissage on “The Art of OSINT”. Until then, let’s keep creating more masterpieces with our online investigations and link charts.

What’s the big deal? And who’s to blame?

Not all information can be found using OSINT. Sometimes a little social engineering can be useful.

We warned you not to call a certain phone number linked to multiple scam sites. So, what exactly happens if you call +1-844-947-4746? Although it was obvious that the sites we were looking at and this phone number were involved in some kind of scam, I was curious to see what the exact business model was. Before making the call, I googled a bit and found out that the number was toll-free in the US. After topping one of my burner phones, I dialed the number.

It rang shortly and a gentleman with an Indian accent answered and asked which kind of assistance I required. I explained that I had problems with Norton 360. I couldn’t activate it. The gentleman wanted my name and my phone number, upon which I provided him with some bogus data. At first, he asked if I was able to install software, as he wanted to use Supremo to check my computer. Playing dumb, I just told him that I didn’t understand what he wanted me to do and that I have never personally installed anything on this computer. My son always did all the IT-stuff for me.

Next up, he mentioned two URLs that I should try to visit: helpme(dot)net and 1234computer(dot)com. It turns out that both sites were also meant to give him remote access to my computer.

This is where another important lesson in OSINT (and life) can be learned: Proper preparation prevents poor performance! I had not expected this and therefore hadn’t set up a clean Windows VM to play around with. Sadly, I had to find an excuse why I couldn’t access the URLs he had cited. I promised to call back, but never managed to get through again. From there on, the number only redirected me to voicemail. Funny enough, the mailbox mentions a typical American name as the owner. Maybe this could be useful in the future.

In any case, it was clear how the scam worked. Unsuspecting, non-tech-savvy users would call the hotline and give the scammers remote access to their computers. From there on, the possibilities to do harm are countless. Ever since then, I have always made sure to have a clean Windows VM that I can use in such cases.

Since we now had an idea what the scam was about, we decided to push forward with our investigations. Sector found a phone number associated with the site energeticsquad(dot)com. This site belonged to an IT-company named Energetic Squad LLC in Illinois, which coincidentally was also located at the address we had already seen on multiple scamming sites. The number found by Sector was an Indian mobile and I decided to get in touch with this person to find out if he or she was in any way related to the aforementioned website or any of the other scam sites. I noticed that it was registered in WhatsApp, so I decided to have a little chat. Of course, I used a burner phone for this; to be more precise, I was running WhatsApp in an Android VM on my computer.

What struck me here, is that I was indeed on the right track. I never said that the company was a LLC, yet it was immediately mentioned by the person I was texting with. By this, the owner of the Illinois company offering local tech-support was using an Indian phone number. He wasn’t keen on giving me his name, but his reactions showed that me that the name I had was also likely correct. At least he didn’t deny it.

I offered to buy his domain and we went back and forth regarding the price. I was pushing hard, something I usually wouldn’t do in a real case, and soon he asked if I could come to the US for further negotiations. I assume he was just trying to put me off track and distracting from the fact that he was actually located in India. His English also wasn’t what I would expect from a native speaker. Of course, I was able to travel to the US and at this point he decided to end the conversation.

Being blocked by a scammer, because he accuses you of being a scammer. Now there’s a pot calling the kettle black! Of course, I burned bridges here and wasn’t able to reestablish contact after this. However, we did learn that the Indian mobile phone number was in fact connected to the website and the company. Also, we had likely found an actual name. Later on, we found out that the company Energetic Squad LLC had been registered in Illinois in the meantime, and that the name of their manager was the same name that is being used on the fake tech support voicemail. Everything and everyone is linked!

There were several other suspects which we had also contacted, and almost everyone acted as suspicious as the person I wanted to buy the domain from. In any case, these conversations gave us many new leads to follow up on and had us pivot toward social media profiles. Maybe these will provide some insight on the scam network.

The more, the better

What are backlinks and how are they used in the Norton scam? Our OSINT investigations lead us into the world of SEO.

The project started with a fake profile on Medium, which led us to several scam websites claiming to provide tech support. While the total number of these sites hasn’t risen much over the past months, entries promoting this scam on blogs, social media profiles and in comments on other websites have drastically risen. We see this as a crude search engine optimization (SEO) attempt.

Throughout the investigations we found individuals specializing in SEO, who where also likely linked to the network we were tracking. One of the sites that popped up in our search was yahoophonesupports(dot)com. Unlike previous fake sites that used Indian addresses and fake English-named personas, such as Nancy Wilson or Steven Dalton, this one was registered by someone named Jiya with a real looking email address. We had narrowed down our search to the city of Noida in India and the phone number used to register the site was definitely linked to our scam network. While most names used to register domains clearly came from fictitious peoples, maybe this was one was real.

Searching for the name on Google led to a result that fits the picture: Jiya from Noida offering SEO services.

Jiya mentions backlinks and blogger outreach, something we have seen in our scam as well. Let me explain the concept of backlinks, also known as inbound links. A backlink is a link on page A referring to page B. Most search engines interpret backlinks as votes on the popularity of a website. So, the more backlinks that lead to page B, the more popular this page seems and thus it will be rated higher in search results. The easiest way to create cheap backlinks is using free blogs, for example Medium. Googling the phone number used in this scam, we come up with over 1.000 Medium posts and sites, each also containing the link to one of the fake support sites, such as nortonhelpus(dot)com.

We are not only seeing this on Medium, but across many platforms. The amount of backlinks created clearly indicates that we are dealing with a large team of people, as this is probably not possible by one person or a small team alone. The number of search results for the phone number shown above has risen from 4,000 in May to about 21,000 this week and is still rising!

Of course, most posts come from obvious sock puppets, created with fake names and stolen profile pictures. Here’s Brad Pitt, alias James Rocky, offering tech support.

Once these sites are set up, clicking on the links can be automated, so that the target website (in this case all-emailsupport(dot)com) receives traffic, basically boosting its search index rating. The scam network is not expecting to generate any phone calls or support requests from these obviously fake Medium sites, these are just used in the SEO process for the actual scam site. We have been seeing these SEO-enablers on Twitter, Issuu and basically any platform that allows you to post information “quick and dirty”.

During our project we also looked at Google Trends, to figure out where the main targets of this scam were likely located. Obviously in the US, as the main tech support phone numbers were US toll-free numbers. However, we also noticed a British phone number. Google Trends allows you to look up search terms and see the interest over time and the region of interest for that specific search term. We were curious to see if any notable searches on one of the scam topics was googled in the UK often. We checked “activate Norton”, since this was one of the main services the scam network was allegedly offering: activating an expired Norton account.

Sure enough, the main regions that googled this term were the US and India. The US is obvious. This is the market the scammers are targeting. But why does India rank higher? One explanation could be testing the search term during the SEO-process. Coincidently, some of the peaks in the interest over time relate to time periods in which new fake sites were created. No notable searches were seen coming from the UK.

As mentioned before, most of the bogus blog posts were created really sloppy, as their sole purpose was to generate backlinks. We also found several sites linked to this scam that were apparently selling software. A lot of these sites were created using predefined templates, in some cases showing the shipping time or the general location on a map.

Apparently, the creator of this site had his location (likely based on a geolocation through Google) automatically added and didn’t bother to change it before putting the site online. In any case, he achieved his goal: A backlink to a scam site.

Now that we’ve learned how this scam uses SEO to promote their wrongdoings, is there anything that can be done to effectively tamper this scam network? How about Google, Bing, Yahoo and other major search engines take any site off their listing that features “+1-844-947-4746”. Except ours, we’re the good guys!

Mistakes on social media

Never be too careless with what you post on social media. It might come back to haunt you one day and in the case of our investigations it sure led to some key findings on the scam network!

The ultimate goal of our investigation was to find the people behind the scam. We had found fake personas and most of the WHOIS data was misleading as well. Of all the people we came across, there was still a reasonable amount of doubt that they were actually involved in the scam, or we couldn’t reveal their true identities for sure. In our hunt for the truth we also turned to social media, hoping to find someone connected to our case.

As previously mentioned, most names used to register websites were clearly fake. Nancy Wilson and Steve Dalton were among the favorites. However, we did notice that the majority of sites had Indian addresses in the WHOIS data. In particular, two addresses reoccurred often: one in Noida and one in Gurgaon (also known as Gurugram). We decided to find Facebook profiles that had visited both cities and that were also linked to East Peoria, the city in Illinois that the scammers posted on their websites. Maybe someone was careless enough and had checked into all three places. Of course, this was done a while back when the Facebook graph search was still working.

Jackpot! While we hadn’t expected to find anything on this wild query, one Facebook profile matched our search. This person, named Baljeet, was a very active social media user and constantly checked into places on Facebook. Among these check-ins were Noida, Gurgaon and East Peoria.

Intelligence collection always feeds on mistakes your adversaries or intelligence targets make, and Baljeet committed a major blunder here. Soon after, we found ourselves digging into Baljeet’s profile. It turns out, that he had frequently visited locations (marked in blue) in the vicinity of the office building (marked in red) which was found in the WHOIS data of the scam sites and in which we suspected the team of developers behind these sites to be located.

At the same time, we discovered that Baljeet registered a website with his full name and actual email address, which we had found in his Twitter timeline. This website was providing web design services to customers in the US. And guess what? The site was using the same address in East Peoria and also the same phone number as the scam sites! I decided to have a little chat with Baljeet on Facebook to confront him with this information.

The conversation went on for a while and Baljeet kept coming up with excuses and dodgy information on why his website was using the same address and phone number as the scam sites. After our talks, he actually took down both for a while, but the address is back on the website today. To us it is clear: Baljeet is definitely involved in this scam. You don’t just sit in India and coincidently use the same address (in the middle of nowhere) and phone number as multiple scam sites on your own site. You don’t just coincidently happen to work in vicinity of addresses we have attributed to the scam sites.

While looking into other social media profiles used by Baljeet, we came across other indicators that fit the overall picture. A couple days ago, he proudly posted the following on Twitter: A certificate of an advanced Google Analytics course (my browser was set to German when I opened the link).

As you can see, the information we won from social media research led to us a prime suspect in our case. Not only did we have a real name now, we also had a unique username, a pattern of life and enough information to verify his involvement in our scam.

Our social media research also led to many more key findings. One of the phone numbers we found in the scam sites’ WHOIS data was also posting job advertisements on Facebook.

A call center agent providing support to activate Norton? That’s exactly how our hunt started. Looks like it is all coming together! The information we gathered throughout our social media research was invaluable and had us dig even deeper into WHOIS data and source code from the scam websites, leading to unravelling the whole network behind it.

Tracing ownership

All roads lead to Rome. Or in our case to the Indian city of Noida and a certain phone number we found when we used Google Drive API and RiskIQ to generate more leads in our investigations of the Norton scam.

Above, we have shown you how we identified a possible scammer, visualized connections, contacted scammers and how they are using SEO to boost the ranking of their websites within search results. Here, we explain how we used several tools and techniques to connect the different domains and information, ultimately leading to a single person that sits in the middle of the web like a spider. Is it Baljeet, who was mentioned in the previously? Or are there more people working on this scam?

To answer that question, we went back to the beginning of our investigations and revisited the URL where it all started, the “nortonhelpus[dot]com” site. The website is not just a page that displays the scam phone number, it also contains a link that leads to a subdomain: “activate.nortonhelpus[dot]com”. Here we found two separate links to Norton software placed on a Google Drive.

The person uploadeding this was apparently “Nancy Wilson”, coincidentally the same name as the person who registered the domain name “nortonhelpus[dot]com”. With a common name like this, there wasn’t a lot we could do. We needed to find out what email address was connected to the Google account used, and who was in control of it.

The email within the Whois information for “nortonhelpus[dot]com” was “nw815624@gmail.com”, and to see whether this was the same email address used to upload the files, we had to find out who the actual owner of the Google Drive was. There are two ways of retrieving that kind of information. The first one involves using Firefox and opening up the Developer mode by pressing F12 after loading the page and then clicking on the Inspector. We searched for “@gmail.com” and were presented with a few options. While going over these options, we found the email address of the user hidden somewhere in the source code of the page.

If the owner’s email address cannot be found in the source code of the site, there is another way to move forward: the official Google Drive API. While using the older v2 version instead of the newer and currently active API v3, we were be able to retrieve information on the owner of said Google Drive, including an email address. The specific endpoint we needed to query was “drive.files.get”. After creating a developer account and a temporary project, and by using the online test form (https://developers.google.com/apis-explorer/#p/drive/v2/drive.files.get), we were able to query the endpoint and retrieve all the metadata of the uploaded files. The email address of “Nancy Wilson”, who we know is a fake persona.

Using the following command on the Google drive we were investigating, it pulls the results shown below.

Command: GET https://www.googleapis.com/drive/v2/files/1RCDQWugm5km0fDufLx60kUL_iPu5qj_L?key={YOUR_API_KEY}

Result:

Finding the email address “nancywilson962@gmail.com” gave us a new entry to start searching online for any information that could lead to the person behind the website. For this we turned to RiskIQ, where we used the PassiveTotal platform to query their massive data set of historical Whois information. Within RiskIQ you have the option to search on domain names, but also on email addresses or phone numbers that are inside the Whois registration information, which makes it extremely suitable to trace scammers via domain registration. When searching for the email address we sadly found out that only one domain was registered, the domain “amazing-wash[dot]com”. It appeared to be registered in India by a person called “Ramesh Kumar”, according to the Whois information he was living in Noida and with all this information we found a new phone number.

Though we hoped to find more domain names with our initial query, we simply pivoted on this phone number within RiskIQ for more mentions of it. And that is when we hit the jackpot.

There were more than a dozen domains connected to this single phone number. Even though we already found multiple domain names by searching for websites mentioning the phone number +1-844-947-4746 or using the address in East Peoria, all this information was connected via Whois information through a single phone number that had direct leads to the person placing the files on Google Drive. It was time to pivot again, this time on each and every phone number and email address that we found in the Whois information of all the domains. Upon finding new information, we retrieved related new domains too and so on and so forth. By using RiskIQ, manual Whois queries and going over the content of the websites, we were massively expanding the list of entities in our investigation. Starting with about 100 entities after our initial Google searches and manual labor, to well over 200 items by using the information within RiskIQ! This is how we ended up with a very large cluster of websites, fake aliases and email addresses, a bunch of new phone numbers, all circling around a person called “Ramesh Kumar”. The person with the phone number that connects more than 75% of all the collected data in this investigation in a direct or indirect way.

Of course, we couldn’t resist and tried to call Ramesh on the phone number we had discovered. After these calls, everything made total sense and we pretty much figured out how this whole network of scammers works.

Putting the pieces together

Gotcha! We found out who is responsible for this massive scam. Using OSINT and social engineering we tracked down the company behind the Norton Scam.

Time to finally unravel the Norton scam. Sector and I have decided to conclude our investigations and put the pieces together, after spending countless hours working on this case. Every time we thought we had figured it out, new information was found, taking us down another rabbit hole. Sometimes we spent days following a lead, just to find out that it wasn’t related to our case at all. As with most investigations, we were not able to solve all mysteries, but we are pretty sure we identified the company and some individuals behind this massive scam scheme.

We pointed out how everything led to specific Indian phone number (+91.9540878969). This number was used to register many of the domains we were looking into. Once more, I decided to make some phone calls to India. I found out that the number belongs to a web design office. The first four phone calls were answered by different men who did not understand English, so they hung up on me. My fifth phone call was more successful. I got a hold of a woman named Priya and told her that a friend of mine had recommend them and that I was looking to have a website set up for me. I had called the right place and I would need to speak to her boss, Priya explained. I also mentioned that the site was to be used as a scam site to obtain credit card data. This too was possible according to Priya. Soon afterwards I had a conversation with the boss, who remained nameless. If I was willing to pay roughly 150$ on PayPal, they would set up the site I needed. With these phone calls, we have proven that the web design office was responsible for setting up the type of scam sites that we have seen throughout our investigations.

During our research, we also came across a site which offered web design services to US customers and to which we had actually found legit websites they had created. This is something very common: using a US frontend to sell IT-services that are performed in India. So, not everything the team did was illegal or scam-related.

In order to promote the scam sites, another team was responsible for search engine optimization (SEO). The SEO team was most likely also located in the offices of the web design team, probably under the same leadership. Their job is to flood the internet with backlinks in order to promote the scam sites. So far, we have found more than 20,000 entries for this cause. From Facebook posts, to Medium blogs, to comments on non-related webpages; a large variety of backlinks were created in the past year.

The purpose of the scam is have the victims call one of the tech support phone numbers. Thus, a team of call center agents is required. Remember how the scam works? If an unsuspecting victim calls the number, they provide ‘assistance’ by obtaining remote access to the victim’s computer. In some cases malware is installed, in other cases they ask for credit card data in order to bill the customers for their service.

These call center agents were hired by a company named 4compserv, which is located at an address that was also used to register some of the identified scam domains. We suspect this is root of all evil, the company behind the scheme. Or at least some employees of the company, since we have also found evidence of 4compserv conducts legal business as well.

More evidence came up, which proves that the web design office and the call center are definitely related. Shortly after I had spoken to the boss of the web design office, I received a phone call from the number linked to the call center (+91.97117613). Unfortunately, I missed the call and haven’t been able to reach them ever since. Furthermore, one of the scammers I had personally texted with recently updated the CV on his website. Have a look at his current jobs:

While there are still some questions to be answered, our research has enabled us to have an overall understanding of the network and the techniques used to run their scam, as well as identifying the company most likely behind this scam: 4compserv in Noida, India.

Along the way, we would often stumble upon funny facts. Some of the scam developers were just so sanguine, they didn’t want to obscure their tracks. Such as the preferred use of the name ‘Nancy Wilson’ to register domains or create sock puppets. The original websites the scammers had set up were very crude, now it seems they are using nice looking WordPress templates, including chatbots. Usually, the chatbot would ask for a phone number, so the scammers can call back. And guess who you would be chatting with on all of these sites? Good ol’ Nancy!

We’re done! We managed to find the perpetrators behind all this. What started with a sock puppet on Medium led to unravelling a largescale scam network, targeting unsuspecting victims seeking tech support. We hope that our project may help counter the threat originating from this specific scam and raise awareness for similar schemes. Also, thanks to many of our readers for sharing the posts from this series on Twitter and LinkedIn, ultimately ranking the articles higher and higher on Google. Using OSINT and social engineering to enable counter-SEO against the scammer’s massive SEO effort!

Now it’s time to relax a bit…before we start the next awesome project!

Sector035/MW-OSINT – 28.08.2019

We explicitly decided to keep the disclosure of personal information on the investigated individuals to a minimum in these blog posts. However, the complete information gathered is available to law enforcement and/or the companies targeted by this scam upon request.

Intelligence Collection on the Train

Sometimes I miss my SIGINT days: Listening into my target’s phone calls and getting juicy intelligence out of this. However, you don’t always need SIGINT to eavesdrop on interesting conversations.

The company that I work for offers a broad variety of security products. When it comes to securing valuable data and information, most of our customers rely on technical solutions. However, the best firewalls and security suites will not help, if information is continuously disclosed outside of hardened IT-environments by careless employees. As a former SIGINTer I was always astonished about how much information my intelligence targets would openly share over non-secure lines. Now that I left SIGINT behind, I still have the chance to eavesdrop on conversations every once in a while.

I have a one-hour commute to work each day and the time I am on the train has proven to be a valuable social engineering and OSINT training ground. Two weeks ago, I was sitting on the train when a gentleman sat down next to me and immediately started making phone calls.

https://unsplash.com/@jcgellidon

The second phone call went to a woman named Kelly Adams. I know this because I could see her name on the screen of his phone. I could hear everything he said and since his volume was cranked up, I could also hear parts of what Kelly had said. Curious as I am, I immediately googled Kelly. Based on what I had heard, I could narrow it down to three individuals. One woman working for a large German defense company and two others in IT firms. The topic of the conversation was a pretty significant retention bonus that Kelly would receive, if she decided to stay with the company and move to Munich. It turns out the company was currently relocating its headquarters to Munich.

As soon as the gentleman ended this conversation, he started writing emails on his phone. Again in plain sight and did I mention that I am very curious? It turned out his name is Andreas Müller. Searching for the combination “Kelly Adams” and “Andreas Müller” led to the exact company. Dr. Andreas Müller was the head of the research and development department of a large German defense company and Kelly was one of the leading project managers for a specific branch. I did not need any sophisticated OSINT skills here, a simple Google query and LinkedIn search was enough. Dr. Müller then sent the details of the retention bonus to someone named Alfred, whom I assume was in HR. If I would have been working for an opposing company, I could have easily used this information to counter the offer Kelly received. But wait, it gets even better!

Next up, Dr. Müller opened spreadsheets depicting the budget of certain projects. Dr. Müller was sitting on my right and I held my phone to my right ear, simulated a conversation and managed to get a couple pictures of his screen. As of now, I had seen enough and it was time to approach him.

“Excuse me, Dr. Müller. May I ask you a question?”

You should have seen the look on his face. Surprised and shocked, as he was clearly not expecting this. I asked him if the conversations and the emails he had looked at were sensitive. I told him what I had picked up from his conversation with Kelly and showed him a picture of the spreadsheet. Still shocked, he did not really know how to react. I explained my line of work and handed him a business card. Dr. Müller can consider himself lucky, usually I charge customers for this kind of consulting and I think he learned a valuable lesson.

Remember: No matter how good your cyber security measures are, the most important aspect is minimizing human error and taking security serious at all times. I have often read that there is no patch for human stupidity. I do not agree and I am sure that Dr. Müller has been “patched” after our train ride.

I guess I never will be able to let the SIGINT side of me go. I just love eavesdropping in on people, so be careful what you say in public or on your phone, you never know if someone is listening!

MW-OSINT / 26.03.2019

The Golden Age of OSINT is over

Change is coming and it will greatly affect the way OSINT investigations are conducted in the future. Who knows, in a couple of years completely different skill sets might be needed to handle online investigations. Are we prepared?

In the OSINT community we constantly have to deal with changes. New tools and new platforms are always on the rise, just as old platforms and tools become obsolete in an instant. Staying updated is a continuous challenge, much more than just one person can handle. Luckily, most members of the OSINT community are willing to share any new discoveries, especially on Twitter. Therefore, following the hashtag #OSINT on Twitter, as well as numerous OSINT-related accounts, is the first and most important step when working in any area that requires OSINT skills.

There is always a lot of chatter on the future of OSINT and unlike many others, I do not think that Python is the future of OSINT. Does OSINT even have a future? Let us fast forward to the year 2022 and have a look at online investigations then.

roads ends2

January 2022:

Over the past years, more and more people have been made aware of their own data privacy and this has massively changed the way they use online services. What started with the release of the ‘Snowden documents’ in 2013 and continued with massive data breaches, such as the Cambridge Analytica case made public in 2018, has led to the desire to share less information publicly. This development basically made Facebook obsolete and new platforms have arisen in its place. Although Facebook still exists, the data it contains only has historic value and cannot be used for current investigations, much like Google+ or MySpace a couple of years back. Even though Facebook tried to turn the tide by changing privacy settings, the damage done by many the data breaches was too much to convince users to maintain a presence on the platform. Nowadays, social media is more anonymous than before, modern platforms do not require or request real names and information shared is not automatically distributed publicly. For OSINT investigations, this means that a real name might not provide a starting point to search for someone online. The main starting point is now an obscured username, which is hopefully unique enough to be used in investigations. How can we identify a username, if we just have a real name to start with?

In modern social media this is almost impossible. Unlike the old Facebook, which gave us a display name and an account name (mostly based on the real name), today’s social media does not reveal the real name. So, either you know the username to start with or you are pretty much screwed. Of course, another possibility is searching ‘historic’ sites that have linked usernames to real names, such as Facebook or maybe even Twitter. There are also commercial databases and people search engines that offer these services for a small fee. However, if someone was OPSEC-savvy before 2019, he or she most likely will not be found online easily in 2022. Even with a unique username, the information that can be obtained from social networks is marginal, since everyone is well aware of their own data privacy. If you are not a part of your targets network, you will not see anything. No updates, no pictures. Even likes and other forms of indirect communication between accounts will not be publicly disclosed. This rendered many of the Python tools developed over the past years obsolete, as the data that can be scraped is mostly useless.

With that said, how does OSINT look today? In general, we have shifted from the passive gathering of information to more active means of collecting data. I call it virtual HUMINT (VUMINT). The objective of VUMINT is to infiltrate target networks during investigations in order to see information that is not openly available and possibly even interact with the target on a ‘personal’ level. Whereas sock puppets in 2019 where mainly used to gain access to social networks in general, sock pockets nowadays are needed to gain access to specific profiles of our targets and their closed networks. Now, more than ever, it is important to have lifelike and tailor-made sock puppets to achieve this objective. A blog post from 2019 is still useful and gives a good description of sock puppets and how they should be setup: The OSINT Puppeteer. Building a sock puppet for a specific account is not something that is done in a short period time, so receiving results through VUMINT takes much longer than information gathering through passive OSINT. Naturally, there is no guarantee that a target will add you to his or her network, no matter how good the sock puppet is. This means you might invest a lot of time in the creation of a sock puppet without achieving any notable results. In certain ways, it is very similar to a target-centric phishing campaign.

Another challenge in modern OSINT is the vast dissemination of unverified or untrue information on the internet. Everyone can post everything online in an instant and everyone wants to have news in a heartbeat, making it harder for press and media to thoroughly research events before releasing information. Media and press institutes that fact-check and verify first are losing the battle against quick-releasing competitors. The customer’s demand for instant information over reliable information has flooded the internet with rumors and ‘fake news’. During investigations, more and more time is spent conducting OSINT research on the credibility of data found on specific targets. Finding the original source of the information, the so-called Patient Zero, assessing its trustworthiness and then determining how and if the information can be used in our investigations. Today, it is not the actual collection of open source data that is the key, but the actual evaluation of this material.

One thing that has not changed, is the fact that the global corporations behind online platforms, and thus intelligence services, still have the possibility to use all the personal data on users however they desire. While OSINT collection and intelligence has become more challenging for everyone outside of these corporations and intelligence services, it is easier than ever for them to make use of personal data. Whether it is tailor-made advertising or extensive profiling through intelligence services, our data and of course ourselves are now more transparent than ever. There is no hiding from global corporations or intelligence services anymore if we want to use online services. Luckily (or unfortunately), the personal data is not sold or leaked as much as it was a couple years ago, limiting the benefit of commercial databases.

In 2022, the Golden Age of OSINT in investigations is over. The trends that started around 2015, e.g. automating OSINT, do not work anymore. Instead of learning how to code, maybe we should focus on social engineering a bit more. A good OSINT investigator in 2022, first and foremost, needs to be a good intelligence analyst and have some strong Human Intelligence skills.

Thank goodness it’s still 2019!

MW-OSINT / 04.01.2019

The Nexus Analyst: Understanding your Customer’s Requirements

Nexus is ‘an important connection between the parts of a system’, according to the dictionary. In an intelligence environment, OSINT has the same function. Another example of how OSINT can provide important leads for HUMINT and SIGINT in Afghanistan.

Open Source Intelligence (OSINT) is all about perseverance and following bread crumbs that lead to key findings. To be honest, you won’t always find the smoking gun and in some cases you might miss it. That’s one thing I have learned: No matter how hard you look, you are always likely to miss out on something. That is why the OSINT community on Twitter is so important. New tools and techniques are shared there and help broaden your own set of skills on a daily basis. Another important lesson, is to always have clearly defined objectives, the so-called Key Intelligence Questions (KIQ), when conducting OSINT research. What specifically is your intelligence customer asking for? This means you have to understand the ultimate goal and your customer’s mindset to a certain extent.

My concept called Interdisciplinary Intelligence Preparation of Operations (I2PO) relies on OSINT to support other intelligence collection types (ICT), such as Signals Intelligence (SIGINT) or Human Intelligence (HUMINT), and vice versa. Therefore, the OSINT analyst must understand the specific requirements for each ICT. If you deliver a phone number or email address to a HUMINTer, he might give you puzzled looks. Again, I would like to demonstrate my point with an OSINT case that might easily happen this way in military intelligence and intelligence services. In a previous blog post, we had HUMINT information as a starting point for OSINT. This time, we have a couple of Key Intelligence Questions.

Imagine we are forward deployed OSINT analysts in Afghanistan. We not only provide information on the general situation in our area of operations, but also support the adjacent HUMINT and SIGINT teams. Our HUMINTers want to know a little more about the family ties of their intelligence targets and the networks surrounding these people (KIQ 1). The SIGINTer just needs some selectors such as phone number and email addresses, which he could task in his SIGINT systems (KIQ 2). One of the intelligence targets happens to be Mohammad Atta Noor, a key power broker in Northern Afghanistan.

We start out with a simple Google search and we soon find an interesting site containing bios of Afghan VIPs: afghan.bios.info. The entry on Mohammad Atta Noor is quite detailed and also reveals the name of one his sons, Tariq Noor.

Next up we conduct a Google search on Tariq Noor in combination with the name of his father. This leads us to Tariq’s Twitter account, where he is pictured together with his father.

Twitter also suggests further accounts to follow, one of them being Khalid Noor. It turns out that this is another son of Mohammad Atta Noor.

So far, we have names and pictures of two sons. Knowing that Mohammad Atta Noor has even more children, we could continue our search and identify the other children, while trying to obtain pictures and more data on them. However, let us focus on Tariq and Khalid first. As their father is a successful businessman, it is likely that his sons have businesses of their own, or are maybe even connected to their father’s companies.

To check this, we again have a look at the Afghan company register (www.acbrip.gov.af). Since we cannot search for individuals here, we assume that Tariq and Khalid have companies named after themselves. This search within the Afghan company register produces good results. The first result when looking for Khalid Noor even gives us the phone number of Mohammad Atta Noor and a bit of his family history with the names of Mohammad Atta Noor’s father and grandfather.

Mohammad Atta Noor is the president of the Khalid Noor LTD and states his father’s name is Haji Noor Mohammad and his grandfather’s name is Mirza Mohammad Gul. In Arabic and Central Asian countries, this information is valuable when distinguishing same-named persons. A look into the shareholders of this company reveal not only that Khalid is a shareholder, but also mentions other business partners (and their family history, as well as phone numbers). All this information helps build a network chart including the relevant family ties. This is the information our HUMINT team was looking for (KIQ 1). Of course, the phone numbers answer the Key Intelligence Question our SIGINT Team had (KIQ 2). A query for Tariq Noor produces similar results, including phone numbers of Tariq and his business partners.

All in all, following OSINT bread crumbs led to amazing key findings. Now this information can be used for HUMINT operations, when trying to infiltrate the networks around Mohammad Atta Noor and, as mentioned, also to task SIGINT operations. A perfect example of I2PO!

In conclusion, this way to work makes me refer to an OSINT analyst within military and intelligence services as a ‘Nexus Analyst’, an analyst in between ICTs. Someone that knows what HUMINT or SIGINT really need to conduct their missions successfully and who takes this into account when browsing the web.

MW-OSINT / 28.11.2018

I2PO – From HUMINT to OSINT to SIGINT

Sometimes even seemingly irrelevant information leads to key findings. In this case, the mere existence of a company led to unraveling the phone number of the son of Afghan Vice President Abdul Rashid Dostum.

Interdisciplinary Intelligence Preparation of Operations, I2PO, is a concept on combining the different types of intelligence collection to achieve the best results. In the following example, I will demonstrate a perfect case of an intelligence workflow that starts with Human Intelligence (HUMINT), utilizes Open Source Intelligence (OSINT) and lastly provides leads for Signals Intelligence (SIGINT).

Imagine you are part of a SIGINT team, dedicated to Afghan politics. While reading some HUMINT reporting, you come across a report regarding Batur Dostum, the son of the Vice President of Afghanistan, Abdul Rashid Dostum. The report informs about Batur’s businesses in Northern Afghanistan. One of the businesses mentioned is Batur Mustafa LTD.

This provides a starting point for OSINT research. While googling this company will not produce any notable results, a query within in the Afghan Central Business Registry (ACBR) might lead to some useful information. Luckily, the database in is English, so we will not have to use any translation tools. The ACBR database does not enable you to search for individuals, but we have the company name.

The result of this query gives us plenty of relevant data. Not only do we receive information on the company itself, but also on its shareholders and their personal data. This includes names, father names, phone numbers and residencies.

This is our target! Batur Dostum, the son of Abdul Rashid Dostum. He owns 50% of the company shares and his phone number is listed. The next step would be to task his phone number in our SIGINT collection. While we are at it, we should also task the phone number of the other shareholder and vice president of the company.

It is highly likely that this phone number might also produce decent SIGINT results.

As you can see, a piece of information that might seem irrelevant to start with led to a key finding and the possibility to enable further intelligence operations.

MW-OSINT / 19.11.2018

Covert Operations in a Digital World

Even spies leave behind a digital footprint. Through social media profiles and various leaks they can be identified and their clandestine activities exposed. In the digital age it takes more time and effort to conceal covert operations, requiring new approaches as early as during their recruiting.

Covert Ops in a Digital World2.jpg

The recent uncovering of Russian GRU agents accused with the attempt to poison former Russian spy Sergei Skripal, as well as the exposure of Saudi Arabian spies in the murder of Jamal Khashoggi clearly show the problems intelligence services are facing when conducting covert operations.

Investigate journalists, such as the Bellingcat team, were able to identify the suspected culprits, often using crowdsourcing to do so. These two examples have proven how effective and timely the wisdom of the crowd can be. Another reason for the great results achieved in these online investigations, is the fact that the contributors to each investigation were highly motivated: they did not make these findings because they had to; they wanted to unravel the mysteries surrounding aforementioned cases.

Both times, blatant mistakes made by the operatives left a paper trail to follow, ultimately leading to the identification of several members of Russian and Saudi intelligence services. Not accounting for the various slipups, the main problem is that all culprits do work for their nation’s government and/or intelligence services and this was too transparent. The GRU operatives had addresses registered to known GRU locations, one of the Saudi operatives is seen in pictures where he appears to belong to the close protection team accompanying Saudi crown prince Mohammad Bin Salman on travels. These are just two examples showing links between the individuals and their governments.

The question remains, how an intelligence service can conduct covert operations that actually remain covert. One of the most obvious solutions to counter this problem is minimizing an operatives’ digital presence. This can be achieved fairly easy. Covert operatives should stay away from social media and press coverage. However, an old IT-saying states: “There is no patch for human stupidity.” Due to this, there will always be a margin of error, undisciplined individuals making exactly the mistakes leading to their public exposure. Massive CCTV coverage is causing another problem. It is impossible to travel nowadays without being filmed or photographed. As soon as these pictures of individuals are published in news and on social media, crowdsourcing kicks in. Maybe this individual was seen entering a government building, maybe a former government co-worker recognizes him. Although the former co-worker should probably keep this information to himself rather than risking legal consequences (many have signed some form of non-disclosure agreement), this does not stop it from happening. Again, human error stands in the way. In conclusion, intelligence services should try to rule out human error as much as possible. Regular screenings on intelligence employees aimed at searching for compromising information online could help counter these exposure threats in a timely manner. Another approach would be to decrease the amount of people who actually know of the covert operative. One radical, yet most likely successful approach could be keeping covert operatives away from government entities.

Let me elaborate on this. As soon as an individual enlists within a government entity and becomes part of this system, bureaucracy takes its toll and the individual is listed in numerous databases for mainly administrative reasons, also increasing the number of people who know of his existence. Travel expenses, payment processes and even journeys to known government sites leave plenty of breadcrumbs to follow and to identify someone as a government employee. In many countries, once you are on the government’s payroll, it is highly unlikely you will ever leave the comfort of having this government job and the benefits that come with it.

What if a covert operative never actually worked for the government?

The scenario I am about to explain might sound like it is from a Hollywood movie script, but it might be the only feasible way to conduct future covert operations. It all starts with proper recruiting. Identifying suitable candidates will be challenging and I will not discuss what traits are essential to become a perfect spy. Although former military members might be the first choice, their military service might be what uncovers them in the future. Let us look at the following fictional career:

A young, fit 18-year-old named James appears at a police or military recruiting office and expresses interest in an intelligence, investigation and/or special forces career. He achieves outstanding results in the following assessment center. These results are noted by the intelligence service, upon which they approach the potential recruit. Of course, intensive screenings are conducted beforehand and at no point is he invited to official government sites. All contacts are conducted by a dedicated handler. The used modus operandi is basically the same one used when acquiring HUMINT sources.

James receives an offer to work for the intelligence service but not in the intelligence service. He receives a scholarship to study political science at a renowned university, earning a degree which will provide the basis for his future civilian career. The scholarship is payed for by a complex system of front companies, eventually ending in some sort of charity. During his studies, James uses the semester breaks or long weekends to train the many skills needed for his covert intelligence service job. Officially, he is on long backpack tours around the world or other types of vacations. This training method takes much longer and is conducted individually at inconspicuous sites. However, after 3-4 years of part-time training and smaller operations during his university sojourn, James should be able to conduct covert operations.

After his studies, James receives a job in a worldwide consulting company. Of course, some strings were pulled in the background to enable and promote his civilian career. From time to time, James has to oversee projects in other cities or countries. This is the cover needed to enable worldwide travel to conduct covert intelligence operations. These projects could actually originate from government entities and thus fit to the intelligence operation.

After a certain time as a covert operative, James is removed from the operational line of duty. The compensation for his intelligence work could then be a non-covert job within the intelligence service (or another related government entity) or a severance pay.

This description is very short and is lacking many of the challenging details. I would like to point out a couple of interesting aspects to why this concept might actually be worth the effort:

The recruit could be dismissed at any time during the training program without major consequences. Other than his handlers, he does not have deep insight into the intelligence service, its locations or operations.
Providing a college education and kickstarting a promising civilian career, as well as offering an interesting field of work in the intelligence sector should prove extremely motivational.
The civilian career, when guided by the intelligence service, would deliver the best cover story for operations.
Failed operations could be denied easier by government entities. In this case, a statement like the recent Saudi “rogue operative theory” would pass easier.

Even though the ratio of supporting intelligence personnel assigned exclusively to such an external covert operative is higher than compared to the amount of supporting staff for regular intelligence employees, the external covert operative in total has less exposure to intelligence personnel. Regarding training, financial and operational planning, everything could be kept in a smaller yet highly professional scale.

Who knows, maybe these techniques are already in use by some intelligence services worldwide. That is probably the reason we never hear about it. Maybe the person sitting next to you on the plane is not just the business traveler he pretends to be.

MW-OSINT / 24.10.2018

I2PO: OSINT in Support of HUMINT Operations

In a previous post I explained a concept I named ‘Interdisciplinary Intelligence Preparation of Operations’ and how this could be used to support military operations.

This post will concentrate on the use of OSINT to prepare and monitor HUMINT operations. I will not distinguish between military intelligence HUMINT and sources used by law enforcement agencies or journalists. In both cases, getting access to a source and the preparatory work needed for this are quite similar. Each HUMINT operation starts with the identification and selection of a potential source, thus finding someone in vicinity of our actual intelligence target, who is able to consistently report key intelligence. In the past, even the acquisition of a source was accomplished by HUMINT means. A case officer heard or knew of someone who might have access to specific information and he then talked his way around to finally approach the potential source.

With more and more information being available online, especially through social networks, this approach can be done virtually in some cases. Scavenging Facebook, VKontakte, Instagram, but also LinkedIn and Xing can prove very valuable when searching for potential sources. Of course, this always depends on how outgoing a potential source is on the internet. Sometimes an approach solely through social media could be sufficient, at other times this will not produce any results at all.

The following diagram in theory depicts the steps for OSINT support to a HUMINT case. This scheme is roughly based on the general intelligence cycle with its different stages. We have planning & preparation, collection, processing and evaluation and lastly dissemination covered. In our case the information will be disseminated to the HUMINT operation, which itself will start the whole intelligence cycle over again.

For a better understanding, I have created a fictive case (well, some of it is true…). Let us assume we are part of police special commission in Hamburg focused on the Albanian mafia. The recent shooting of an Albanian national and member of the local Hells Angels, with ties to the Albanian mafia, caused an upstir among different mafia groups operating in the area. So far, no information has emerged on the background of the shooting and existing police sources struggle to provide any intelligence on this topic. The Key Intelligence Questions (KIQ) are ‘What are the current activities of the Albanian mafia in Hamburg?’ and ‘Are there signs of an uprising conflict between different mafia groups?’

Therefore, our special commission has decided to attempt to win additional sources within this network of mafia groups. The higher leadership in a mafia network will not easily cooperate, so someone on the perimeter, with insight into the core, has to be found. Instead of the traditional approach on the streets, we will use OSINT to pave the way ahead of any physical approach.

This leaves us with our initial intelligence objective: Recruiting a HUMINT source within this network to answer the KIQs. Before we start our hunt for sources there are a couple of things we need to know. Who are the key players, do they have nicknames? We should have in-depth knowledge about our targets, e.g. is there target-specific behavior or a specific language used? Having this information gives us a baseline, which we can use to start our OSINT research. Our first step is to identify the known key players and their online profiles. Luckily, most of them are active on Facebook and Instagram and they like showing off their flamboyant life style. Clubbing, exotic cars, girls and champagne seem to be a vital part of the thug life in Hamburg.

This chart depicts the results of the OSINT research on the core network of Albanian mafia in Hamburg, as it is visible on Facebook and Instagram. Now that we have found our potential intelligence targets online, we can survey their activities and figure out who is linked to them. There are many people surrounding this core network, so how can we identify someone who might be worth recruiting as a HUMINT source?

While reading comments to the pictures that these guys post, we stumble upon an individual who constantly idolizes the mafia leadership and their henchman und who frequently asks when he will be a part of ‘the inner circle’. ‘Soon’ is the most common reply and over the course of time he seems to get annoyed. Furthermore, a quick check in police databases reveals that he was registered on minor crimes and was not yet linked to the Albanian mafia. Let us draw a quick conclusion: We have a person with a criminal record, who has contact to senior leadership of the Albanian mafia and is increasingly aggravated on the fact that he is not fully accepted in the organization yet. That sounds like a promising HUMINT source to me!

Keep in mind that this whole procedure, especially the actual HUMINT work done afterwards, takes time. No quick success will come from this. Once we have acquired the source and he is reporting from within the network, our OSINT work does not stop. Now is the time to evaluate the HUMINT information with OSINT. As we have already seen, our targets are very active on social media and this also applies to our source. If our source tells us he had met with one of the bosses on a specific date or time, it could be validated through a Facebook or Instagram post.

One day our source tells us, that in the aftermath of the shooting, the Albanian mafia leadership had met with Chechen mafia leadership the previous evening. At first, this seems unbelievable, as we had assumed that these two groups were currently opposed to each other. One of the Albanian leaders posted about this the following day on Facebook:

This picture not only shows the Captains of the Albanian mafia, but also senior leadership of the Chechen mafia and our HUMINT source. We now know the meeting took place and we have the statement of our source on the topics of the meeting. It is vital that the source does not know we are tracking him and others on social media. We would not want any of this to be staged to back his statements and purposely give us false leads.

This short and fictive case shows how to use OSINT to enable HUMINT and to support HUMINT while an operation is ongoing. Of course, these techniques could also be applied by military HUMINT as well as journalists, as long as the targets and the potential sources are able to be located online.

OSINT supporting HUMINT: Another example of ‘Interdisciplinary Intelligence Preparation of Operations’, I2PO in short.

MW-OSINT / 03.09.2018

Interdisciplinary Intelligence Preparation of Operations – (I2PO)

Whether you are

a HUMINT case officer in military intelligence,
a detective in the police force,
a SIGINT analyst in an intelligence service,
an investigator supporting or conducting due diligence businesses cases,
or a journalist researching for a new article,

you should have extensive knowledge of OSINT techniques.

Now why should these roles, especially the HUMINTer or SIGINTer, be proficient at OSINT? The following article will explain a concept of work that I call ‘Interdisciplinary Intelligence Preparation of Operations’, I2PO in short. The basic idea is that every element working within an intelligence cycle requires OSINT knowledge to either prepare, enable, conduct or support operations. In the future, I will also make a point on how this concept easily transfers to business cases, such as due diligence checks, and journalism as well.

First, let us define what OSINT actually is. Open Source Intelligence is acquiring information from generally accessible sources. This includes data found on the internet as well as within traditional print media, TV- and radio broadcasts. I tend to use the term ‘generally accessible’ as opposed to ‘publicly available’ or ‘openly accessible’, as the data is accessible, however, sometimes in closed networks, behind paywalls or not traceable without extensive knowledge of OSINT. This, in my opinion, rules out the use of ‘publicly’ or ‘openly’, which implies that everyone could access the data easily.

Another important aspect is the term ‘intelligence’ within OSINT. Merely collecting data is not OSINT. Connecting the dots, looking for missing links, assessing the data and producing customer driven reporting is what makes intelligence out of it. This requires knowledge, experience and instinct; a combination which is very hard to replicate using fully automated OSINT tools. Thus, the most important element of OSINT is the analyst, no matter how many software-based tools and gadgets he or she uses.

Before considering how OSINT should be used in combination with other intelligence collection types (ICT), I want to point out some of the advantages when working with OSINT. OSINT data is usually available the moment you start working on a case and often published in near- or real-time, especially when following events on social media. Cases in which you work in a real-time environment, with changes occurring momentarily, bring us to the most important OSINT rule:

If you see it, save it!

You will never know if the data will still be there the next time you intend to look for it.

Depending on the case, you will also be dealing with mass data (or big data). This is where a certain degree of automation might be helpful, keeping in mind that the final assessment shouldn’t be performed solely by an AI. When speaking of quantity, you must consider the quality of the collected data as well. Especially in times like these, verifying information and filtering out disinformation is vital!

After years of work within government intelligence structures and working on business cases, I have therefore developed the concept of I2PO to define my work. This is also something I use as a theoretical basis in the OSINT and INTEL classes I teach. As mentioned before, the general idea is that many different jobs require OSINT skills in order to successfully achieve their goals. Therefore, I highly recommend an interdisciplinary approach. This means not only relying on one ICT, but also having an understanding on how OSINT can support HUMINT and SIGINT operations, police investigations and business cases and vice versa, just as well as OSINT provides information for decision makers as a standalone ICT.

In the following weeks, I will post examples of I2PO in different lines of work (e.g. SIGINT, HUMINT, police investigations, due diligence, journalism and more) to emphasize and further explain this concept.

To start out, I’ll describe I2PO when applied in a military intelligence environment supporting military operations.

I2PO to Support Military Operations

Military operations, such as the ongoing coalition missions in Afghanistan and Iraq, have heavily relied on intelligence collection through SIGINT and HUMINT in the past. These two ICTs demand a large amount of preparatory work and in times in which our adversaries are more cautious and OPSEC-aware, these two ICTs are hitting boundaries. HUMINT sources are having a harder time receiving information from core target networks and communications encryption is on the rise, creating new challenges for SIGINT. At the same time, the amount of information available through the extensive use of social media, even in the aforementioned crisis areas, is vastly growing on a daily basis. In Syria for example, information on troop movements or combat actions find its way across Twitter in near real-time.

In order for decision makers on the battlefield to react to situational changes in a timely manner, it is essential to have forward deployed intelligence elements able to conduct OSINT as it happens. In many cases, this work is done by special OSINT teams, many of them not even being in the actual combat zone. This will always lead to a time delay when disseminating information to the final intelligence customer and decision maker. As with tactical SIGINT or HUMINT, which are close to or in some cases organic to their intelligence customers, tactical OSINT is the answer. Sending a dedicated OSINT analyst forward to support operations is one solution. However, training existing intelligence personnel, enabling them to independently conduct OSINT on a case-by-case basis is another option. On these terms, the training would enable personnel to answer requests for information as they come in, rather than relaying these requests to another element, thus again resulting in a time delay.

This is what I understand as I2PO. Having an all-source analyst who is able to conduct OSINT research and to immediately verify the collected information when needed in time critical situations to support before, during and after military operations. In this example, two different skill sets (one being the all-source analytical expertise) being used in an interdisciplinary approach is the core factor of I2PO.

MW-OSINT / 16.08.2018