How I Became Ted Mosby

Remember Ted Mosby from the sitcom How I Met Your Mother? This fictional TV character inspired a pretext for social engineering in an actual investigation.

Not all investigations can be conducted solely online. Sometimes, information that is discovered on the internet has to be verified in the real world. Many of these cases then require certain social engineering skills to obtain access to otherwise restricted areas. One of the most important aspects of social engineering is the pretext used to present oneself. This is more than just a quick and simple lie, it requires the creation of a complete identity to impersonate someone that will be able to gain the trust of whoever you are using it against. A large portion of the pretexting process is actually OSINT: Gathering the relevant information in order to appear credible.

A while back, I was working on a case in which I had to verify the location of a certain company and try to figure out if the company actually did business there or if this address was just used as a mailbox. Google Street View was not helpful, as in most cases in Germany, and a quick walk-by revealed the address was a large gated town villa. No information on the target company was visible on mailboxes at the gate. To be completely sure, I had to gain inside access and in this particular case, my customer asked for conclusive evidence of my findings. The challenge was finding a way inside that would enable me to snoop around and even take pictures. Further research revealed that the town villa also accommodated a law firm, an advertising firm and an investment management company. I initially thought of posing as a parcel courier to gain entrance and then use a hidden camera to document what I found. However, this pretext came with lots of downsides. I would require a uniform, have to deliver a fake parcel (which would surely strike attention as soon they opened it) and using hidden cameras has always proven tricky in the past when trying to get quality images.

I did a little more OSINT research and found out the estate itself was designed and built by a famous German architect. It was one of his early works. At the time, I was just watching some old episodes of How I Met Your Mother. In one of the episodes, the main character Ted Mosby was giving an architecture lecture as a professor, boring his students with architectural facts. That gave me the idea to pose as a young architecture professor preparing a course on the style of architecture the town villa was built in. Of course, I would also need pictures of the house to point out certain style elements of the villa. With this idea in mind, I spent the next couple hours doing research and preparing my pretext. I learned quite a bit about the German historicism architecture of the 19th century and of course about the famous architect himself.

villa

The next morning I approached my target. Rather than ringing a doorbell and trying to gain access through the intercom, I choose to linger around the house and initially take pictures from the outside during a period in which I assumed people would be entering the estate to commence work. I planned to approach the first person I saw, tell them my cover story and hope to gain full access to the estate without raising suspicion. After all, I was just there to take a couple of pictures of the building itself. At this point, luck was on my side. The first person I encountered turned out to be the owner of the villa, who was in fact a direct descendant of the famous German architect that had built the place. This gentleman was so excited that a young professor wanted to use his estate as an example in class, that he happily invited me inside and allowed me to take as many pictures as I wanted. I received a complete tour, inside and out. I was able to take pictures of mailboxes inside the villa, have a peak into the office spaces and he told me about the current tenants, as well as answering my questions.  During this phase, I used all the architectural terminology I had learned to keep my cover upright.

In the end, I did not find any direct trace of the company I was looking for, nor was any office space for rent or any tenant moving out. However, I did see and take pictures of the internal mailbox belonging to the investment management company. This mailbox listed around 15 additional company names. Subsequent research linked one of those companies to the CEO of my actual target company and this proved to be a starting point for a whole network of letterbox companies.

That is the story of how I became Theodore Evelyn ‘Ted’ Mosby for a day and of course I did not use that name for my character. When I was a child, I remember my grandmother complaining about how harmful TV was and that what I watched was useless in real life. This one time, I guess I proved her wrong.

(By the way: No need in geolocating the villa in picture, it’s not the one from the actual case. However, it does look very similar)

Matthias Wilson / 09.01.2019

Image: CC BY 2.0 @HaPe_Gera (image cropped)

Offline OSINT – Nicht alles ist im Netz auffindbar

Fast täglich werden neue OSINT Tools im Netz vorgestellt. Ob Webseiten mit dem Ziel, einzelne Informationen aus sozialen Medien zu extrahieren oder Python-Skripte zur automatischen Sammlung der Daten von verschiedenen Plattformen, die aktuellen Entwicklungen scheinen immer weiter in Richtung vollautomatisierter Recherche voranzuschreiten. Dabei ist OSINT so viel mehr als nur im Netz zu suchen. Zu den öffentlich verfügbaren Quellen zählen z.B. auch Printmedien und Rundfunkbeiträge, vieles davon ist nicht digital vorhanden. Vor allem dann nicht, wenn es sich um historische Begebenheiten handelt. Diese Informationen befinden sich unter anderem in Bibliotheken auf Mikrofiche oder in Verlagshäusern in Hardcopy.

Ich möchte anhand einer kürzlich stattgefundenen Recherche meiner Kollegen und mir aufzeigen, wie uns solche historischen Informationen in einem Fall helfen konnten:

Wir führen einen Background Check zu einer bestimmten Person durch möchten ihre familiären und wirtschaftlichen Verhältnisse aufklären. Recherchen im Netz, in Compliance-Datenbanken und Pressearchiven bleiben erfolglos. Trotz guter Quellenlage im Netz, gelingt es uns nicht weitere Angehörige zu identifizieren. Leider ist unsere Zielperson auch nicht in sozialen Medien präsent. Also greifen wir auf alte Telefonbuch-CDs aus den 90ern und frühen 2000ern zurück. Wir kennen den Geburtsort unserer Zielperson, außerdem hat sie einen für diese Region einzigartigen Nachnamen.

telefonbuch cds

Mit diesen Informationen machen wir uns auf die Suche. Auf einer CD von 1998 können wir zwei weitere Personen dieses Nachnamens ermitteln. Bei der Sichtung der Telefonbuch-CDs der Folgejahre wird ersichtlich, dass diese beiden Personen anschließend zweimal gemeinsam umgezogen sind. Die letzte Adresse auf einer Telefonbuch-CD von 2005 liegt sogar direkt neben der aktuellen Anschrift unserer Zielperson. Wir gehen davon aus, dass es sich bei den beiden Personen mit gleichem Nachnamen mit großer Wahrscheinlichkeit um Verwandte handelte. Weiterführende Recherchen hierzu führen uns schlussendlich zu Facebook-Profilen und Geschäftstätigkeiten der Familienangehörigen, welche unsere Zielperson in einem neuen Licht dastehen lassen.

Das Fazit der Geschichte: OSINT findet nicht nur im Netz statt. Manchmal muss man sich auf Altes besinnen um im Rahmen einer Recherche zum Ziel zu gelangen. Und nicht vergessen: Bibliotheksausweis erneuern und auf keinen Fall alte Datenquellen voreilig entsorgen.

Matthias Wilson / 10.09.2018