Intelligence Collection on the Train

Sometimes I miss my SIGINT days: Listening into my target’s phone calls and getting juicy intelligence out of this. However, you don’t always need SIGINT to eavesdrop on interesting conversations.

The company that I work for offers a broad variety of security products. When it comes to securing valuable data and information, most of our customers rely on technical solutions. However, the best firewalls and security suites will not help, if information is continuously disclosed outside of hardened IT-environments by careless employees. As a former SIGINTer I was always astonished about how much information my intelligence targets would openly share over non-secure lines. Now that I left SIGINT behind, I still have the chance to eavesdrop on conversations every once in a while.

I have a one-hour commute to work each day and the time I am on the train has proven to be a valuable social engineering and OSINT training ground. Two weeks ago, I was sitting on the train when a gentleman sat down next to me and immediately started making phone calls.

1https://unsplash.com/@jcgellidon

The second phone call went to a woman named Kelly Adams. I know this because I could see her name on the screen of his phone. I could hear everything he said and since his volume was cranked up, I could also hear parts of what Kelly had said. Curious as I am, I immediately googled Kelly. Based on what I had heard, I could narrow it down to three individuals. One woman working for a large German defense company and two others in IT firms. The topic of the conversation was a pretty significant retention bonus that Kelly would receive, if she decided to stay with the company and move to Munich. It turns out the company was currently relocating its headquarters to Munich.

As soon as the gentleman ended this conversation, he started writing emails on his phone. Again in plain sight and did I mention that I am very curious? It turned out his name is Andreas Müller. Searching for the combination “Kelly Adams” and “Andreas Müller” led to the exact company. Dr. Andreas Müller was the head of the research and development department of a large German defense company and Kelly was one of the leading project managers for a specific branch. I did not need any sophisticated OSINT skills here, a simple Google query and LinkedIn search was enough. Dr. Müller then sent the details of the retention bonus to someone named Alfred, whom I assume was in HR. If I would have been working for an opposing company, I could have easily used this information to counter the offer Kelly received. But wait, it gets even better!

Next up, Dr. Müller opened spreadsheets depicting the budget of certain projects. Dr. Müller was sitting on my right and I held my phone to my right ear, simulated a conversation and managed to get a couple pictures of his screen. As of now, I had seen enough and it was time to approach him.

“Excuse me, Dr. Müller. May I ask you a question?”

You should have seen the look on his face. Surprised and shocked, as he was clearly not expecting this. I asked him if the conversations and the emails he had looked at were sensitive. I told him what I had picked up from his conversation with Kelly and showed him a picture of the spreadsheet. Still shocked, he did not really know how to react. I explained my line of work and handed him a business card. Dr. Müller can consider himself lucky, usually I charge customers for this kind of consulting and I think he learned a valuable lesson.

Remember: No matter how good your cyber security measures are, the most important aspect is minimizing human error and taking security serious at all times. I have often read that there is no patch for human stupidity. I do not agree and I am sure that Dr. Müller has been “patched” after our train ride.

I guess I never will be able to let the SIGINT side of me go. I just love eavesdropping in on people, so be careful what you say in public or on your phone, you never know if someone is  listening!

Matthias Wilson / 26.03.2019

The World’s Best Sock Puppet…Not!

There are lots of great guides on how to create sock puppets. Rather than showing you a good example on how to do so, this post shows a horrible example that has been used in a recent phishing attempt.

I received a request to connect on LinkedIn from what clearly is coming from a badly created sock puppet. This request is actually a cheap phishing attempt, aimed at getting a hold of my phone number. Basically, the perpetrator made every mistake in the book when creating the profile. Let me walk you through the red flags I encountered. Or: How not to create a sock puppet!

Red Flag 1:

Bad English. Have a look at the message I received.

1

When looking at the vita, it is clear that Liya Lei should have better English skills!

Red Flag 2:

No contacts (blue box). As you can see, the profile has no listed number of contacts. This is an indicator that it was just recently created or that it is not well-tended.

Red Flag 3:

UKTI does not exist anymore (red box). UKTI stands for UK Trade & Investment, a UK government department working with businesses based in the UK. In July 2016, UKTI was replaced by the Department for International Trade. Again, either this is just a bad sock puppet or an account that is not well-tended. In both cases, it does not seem trustworthy enough to hand over my phone number to.

2

There are some additional steps that can be conducted to verify accounts. The first step is, of course, running the name through Google. In our case, it did not produce any results directly linked to the person shown in the picture. Furthermore, a reverse image search should be performed as well. Forget Google, use Yandex for this. Unfortunately, neither Yandex nor Google were able to find the picture.

Another method to verify LinkedIn accounts, is searching for the person’s email. Assuming the account is real, we should be able to identify a company email address. A quick Google query reveals that the domain ukti-invest.com was among those used by said organization. Next up, run the domain through hunter.io to gain information on the pattern used for their email addresses.

3

Ukti-invest.com uses “firstname.lastname”, so we can now check if an email address belonging to Liya Lei exists. I checked the email address on verifyemailaddress.org and it clearly shows that while the domain exists, the email address we provided does not.

4

I also tried a couple variations, including different domains, such as gov.uk, as well as other naming patterns just to be sure.

Following these steps, I have pretty much proven that Liya Lei’s account is a total hoax. A very bad sock puppet set up to phish my phone number. A final note to whomever tried to fool me:

Dear Sir or Madam,

Next time try harder! There are plenty of guides out there on how to build a credible sock puppet. Your cheap attempt is actually quite insulting and did not even push my OSINT skills to a limit.

Yours sincerely

Matthias Wilson / 21.01.2018