If you follow me, I’ll OSINT you

I tend to have a look at the profiles following me on Twitter or trying to connect on LinkedIn. On LinkedIn I’ve become a little picky on whom to connect with and they have to match my career interests. On Twitter I just look for reds flags in general. If your profile promotes racism and hate speech, deliberately spreads disinformation or supports Borussia Dortmund, I will block you (just kidding on the last one). Of course, I can’t do a deep dive into each and every follower on Twitter. But today I would like to show you what kind of red flags I look for and how these can lead to further investigations.

Follow me and I’ll check out your profile

Around lunch time I noticed a new follower on Twitter.

Martin recently joined Twitter and hasn’t tweeted yet. He is following 25 accounts, has no followers of his own and something about his profile picture is odd.

Since I have created many pictures using This Person Does Not Exist, I could immediately tell that the image above was created on that site. The alignment of the eyes, the weird ears and several other glitches were a sure sign of this. My buddy Nixintel wrote a great blog on how to identify such images a while back and I highly encourage you to read it.

Next up, I had a look at the other accounts Martin choose to follow. Most of them where Russia-friendly accounts, often spreading Russian propaganda, some even known conspiracy theorists. Net to the apparent German name, Martin was following German-speaking people on Twitter. So I am pretty sure he is German-speaking as well.

And in between all these, there where some accounts that actually investigate the general topics I mentioned above (Russia & disinformation). For me, this leaves two possibilities: Martin is either interested in the Russian propaganda and conspiracy theories from an investigative standpoint, or he supports them. It is not uncommon for supporters of conspiracy theories or foreign propaganda to follow those who try to debunk this disinformation (e.g. Bellingcat), so they can troll them. But why did he choose to follow me then, and not only me but also OSINTgeek?

OSINTgeek and I have many things in common, but none of these is any affiliation with the aforementioned topics. However, we are currently best known for organizing the German Open Source Intelligence Conference (or GOSINTCon). I could not see any interaction between Martin and the GOSINTCon Twitter account, so I decided to check our LinkedIn profile. Among the followers we received this afternoon, I found the following account:

Both follows must have happened roughly around the same time. Now let’s have a look at this Martin Krüger.

Same name, different picture and also 25 connections. The picture seemed a little too good looking in my opinion. I ran a quick reverse image search on the profile picture and could see it was an often used stock photo. This was so obvious, that even Google found it!

The fact that this profile only had 25 connections, led to the assumption that it was recently created. Looking into the CV posted on LinkedIn I saw several other things that caught my eye.

I googled the name in connection with the mentioned employers and came up completely empty handed. The CV shown here also had some inconsistencies. Large gaps between apparent jobs, and to me it looked like someone just quickly and very sloppily punched something into to LinkedIn here with a mix of German and English.

All in all, both profiles seem to be sock puppets in my opinion. I thought about if I should write this up or not, as there is a very slight chance that Martin does exist. However, the name is quite common in Germany and nothing shown here can be considered as doxxing. So, this goes out to Martin:

If you are real, you might want to clean up your LinkedIn profile. Those inexplicable gaps in your CV certainly will not help your career. If you are indeed a sock puppet: gotcha! You might want to read about how to set up a proper sock puppet on the OSINT curious site or another example of how not to do so on my blog. And while sock puppets are not a topic in this year’s GOSINTCon, come back next year and we might have a talk on that.

Matthias Wilson / 16.11.2020

Intelligence Collection on the Train

Sometimes I miss my SIGINT days: Listening into my target’s phone calls and getting juicy intelligence out of this. However, you don’t always need SIGINT to eavesdrop on interesting conversations.

The company that I work for offers a broad variety of security products. When it comes to securing valuable data and information, most of our customers rely on technical solutions. However, the best firewalls and security suites will not help, if information is continuously disclosed outside of hardened IT-environments by careless employees. As a former SIGINTer I was always astonished about how much information my intelligence targets would openly share over non-secure lines. Now that I left SIGINT behind, I still have the chance to eavesdrop on conversations every once in a while.

I have a one-hour commute to work each day and the time I am on the train has proven to be a valuable social engineering and OSINT training ground. Two weeks ago, I was sitting on the train when a gentleman sat down next to me and immediately started making phone calls.

1https://unsplash.com/@jcgellidon

The second phone call went to a woman named Kelly Adams. I know this because I could see her name on the screen of his phone. I could hear everything he said and since his volume was cranked up, I could also hear parts of what Kelly had said. Curious as I am, I immediately googled Kelly. Based on what I had heard, I could narrow it down to three individuals. One woman working for a large German defense company and two others in IT firms. The topic of the conversation was a pretty significant retention bonus that Kelly would receive, if she decided to stay with the company and move to Munich. It turns out the company was currently relocating its headquarters to Munich.

As soon as the gentleman ended this conversation, he started writing emails on his phone. Again in plain sight and did I mention that I am very curious? It turned out his name is Andreas Müller. Searching for the combination “Kelly Adams” and “Andreas Müller” led to the exact company. Dr. Andreas Müller was the head of the research and development department of a large German defense company and Kelly was one of the leading project managers for a specific branch. I did not need any sophisticated OSINT skills here, a simple Google query and LinkedIn search was enough. Dr. Müller then sent the details of the retention bonus to someone named Alfred, whom I assume was in HR. If I would have been working for an opposing company, I could have easily used this information to counter the offer Kelly received. But wait, it gets even better!

Next up, Dr. Müller opened spreadsheets depicting the budget of certain projects. Dr. Müller was sitting on my right and I held my phone to my right ear, simulated a conversation and managed to get a couple pictures of his screen. As of now, I had seen enough and it was time to approach him.

“Excuse me, Dr. Müller. May I ask you a question?”

You should have seen the look on his face. Surprised and shocked, as he was clearly not expecting this. I asked him if the conversations and the emails he had looked at were sensitive. I told him what I had picked up from his conversation with Kelly and showed him a picture of the spreadsheet. Still shocked, he did not really know how to react. I explained my line of work and handed him a business card. Dr. Müller can consider himself lucky, usually I charge customers for this kind of consulting and I think he learned a valuable lesson.

Remember: No matter how good your cyber security measures are, the most important aspect is minimizing human error and taking security serious at all times. I have often read that there is no patch for human stupidity. I do not agree and I am sure that Dr. Müller has been “patched” after our train ride.

I guess I never will be able to let the SIGINT side of me go. I just love eavesdropping in on people, so be careful what you say in public or on your phone, you never know if someone is  listening!

Matthias Wilson / 26.03.2019

The World’s Best Sock Puppet…Not!

There are lots of great guides on how to create sock puppets. Rather than showing you a good example on how to do so, this post shows a horrible example that has been used in a recent phishing attempt.

I received a request to connect on LinkedIn from what clearly is coming from a badly created sock puppet. This request is actually a cheap phishing attempt, aimed at getting a hold of my phone number. Basically, the perpetrator made every mistake in the book when creating the profile. Let me walk you through the red flags I encountered. Or: How not to create a sock puppet!

Red Flag 1:

Bad English. Have a look at the message I received.

1

When looking at the vita, it is clear that Liya Lei should have better English skills!

Red Flag 2:

No contacts (blue box). As you can see, the profile has no listed number of contacts. This is an indicator that it was just recently created or that it is not well-tended.

Red Flag 3:

UKTI does not exist anymore (red box). UKTI stands for UK Trade & Investment, a UK government department working with businesses based in the UK. In July 2016, UKTI was replaced by the Department for International Trade. Again, either this is just a bad sock puppet or an account that is not well-tended. In both cases, it does not seem trustworthy enough to hand over my phone number to.

2

There are some additional steps that can be conducted to verify accounts. The first step is, of course, running the name through Google. In our case, it did not produce any results directly linked to the person shown in the picture. Furthermore, a reverse image search should be performed as well. Forget Google, use Yandex for this. Unfortunately, neither Yandex nor Google were able to find the picture.

Another method to verify LinkedIn accounts, is searching for the person’s email. Assuming the account is real, we should be able to identify a company email address. A quick Google query reveals that the domain ukti-invest.com was among those used by said organization. Next up, run the domain through hunter.io to gain information on the pattern used for their email addresses.

3

Ukti-invest.com uses “firstname.lastname”, so we can now check if an email address belonging to Liya Lei exists. I checked the email address on verifyemailaddress.org and it clearly shows that while the domain exists, the email address we provided does not.

4

I also tried a couple variations, including different domains, such as gov.uk, as well as other naming patterns just to be sure.

Following these steps, I have pretty much proven that Liya Lei’s account is a total hoax. A very bad sock puppet set up to phish my phone number. A final note to whomever tried to fool me:

Dear Sir or Madam,

Next time try harder! There are plenty of guides out there on how to build a credible sock puppet. Your cheap attempt is actually quite insulting and did not even push my OSINT skills to a limit.

Yours sincerely

Matthias Wilson / 21.01.2018