If you follow me, I’ll OSINT you

I tend to have a look at the profiles following me on Twitter or trying to connect on LinkedIn. On LinkedIn I’ve become a little picky on whom to connect with and they have to match my career interests. On Twitter I just look for red flags in general. If your profile promotes racism and hate speech, deliberately spreads disinformation or supports Borussia Dortmund, I will block you (just kidding on the last one). Of course, I can’t do a deep dive into each and every follower on Twitter. But today I would like to show you what kind of red flags I look for and how these can lead to further investigations.

Follow me and I’ll check out your profile

Around lunch time I noticed a new follower on Twitter.

Martin recently joined Twitter and hasn’t tweeted yet. He is following 25 accounts, has no followers of his own and something about his profile picture is odd.

Since I have created many pictures using This Person Does Not Exist, I could immediately tell that the image above was created on that site. The alignment of the eyes, the weird ears and several other glitches were a sure sign of this. My buddy Nixintel wrote a great blog on how to identify such images a while back and I highly encourage you to read it.

Next up, I had a look at the other accounts Martin choose to follow. Most of them where Russia-friendly accounts, often spreading Russian propaganda, some even known conspiracy theorists. Next to the apparent German name, Martin was following German-speaking people on Twitter. So I am pretty sure he is German-speaking as well.

And in between all these, there where some accounts that actually investigate the general topics I mentioned above (Russia & disinformation). For me, this leaves two possibilities: Martin is either interested in the Russian propaganda and conspiracy theories from an investigative standpoint, or he supports them. It is not uncommon for supporters of conspiracy theories or foreign propaganda to follow those who try to debunk this disinformation (e.g. Bellingcat), so they can troll them. But why did he choose to follow me then, and not only me but also OSINTgeek?

OSINTgeek and I have many things in common, but none of these is any affiliation with the aforementioned topics. However, we are currently best known for organizing the German Open Source Intelligence Conference (or GOSINTCon). I could not see any interaction between Martin and the GOSINTCon Twitter account, so I decided to check our LinkedIn profile. Among the followers we received this afternoon, I found the following account:

Both follows must have happened roughly around the same time. Now let’s have a look at this Martin Krüger.

Same name, different picture and also 25 connections. The picture seemed a little too good looking in my opinion. I ran a quick reverse image search on the profile picture and could see it was an often used stock photo. This was so obvious, that even Google found it!

The fact that this profile only had 25 connections, led to the assumption that it was recently created. Looking into the CV posted on LinkedIn I saw several other things that caught my eye.

I googled the name in connection with the mentioned employers and came up completely empty handed. The CV shown here also had some inconsistencies. Large gaps between apparent jobs, and to me it looked like someone just quickly and very sloppily punched something into to LinkedIn here with a mix of German and English.

All in all, both profiles seem to be sock puppets in my opinion. I thought about if I should write this up or not, as there is a very slight chance that Martin does exist. However, the name is quite common in Germany and nothing shown here can be considered as doxxing. So, this goes out to Martin:

If you are real, you might want to clean up your LinkedIn profile. Those inexplicable gaps in your CV certainly will not help your career. If you are indeed a sock puppet: gotcha! You might want to read about how to set up a proper sock puppet on the OSINT curious site or another example of how not to do so on my blog. And while sock puppets are not a topic in this year’s GOSINTCon, come back next year and we might have a talk on that.

MW-OSINT / 16.11.2020

Hijacking WhatsApp without Hacking

You don’t have to be a hacker to hijack a WhatsApp account. Simple mistakes made by your target can easily give you access to WhatsApp and other messaging apps on their phones.

When I participate in meetings, I notice that some people place their phones face-up on the table. As a curious person, I always tend to glance over at their phones whenever they light up, for instance if they receive messages. Many people actually have messages displayed on the lock screens. That means they do not have to pick up their phones and unlock them to read incoming messages. Unfortunately, this also poses a serious security threat. Not only can curious people like me read these, displaying the full content of messages on your lock screen can lead to your instant messaging accounts being hijacked. No sophisticated hacking skills are required to do so!

Imagine the following scenario:

A company CEO mainly uses WhatsApp to communicate with business partners. An attacker first obtains the phone number that is linked to his WhatsApp account. People search engines, such as Pipl, are helpful to identify a target’s mobile phone number. Using an Android VM, the attacker can then setup a fully functional Android phone on his computer, including the installation of WhatsApp. WhatsApp on the VM is then registered with a burner phone. The CEO’s phone number is added to the contacts and WhatsApp will provide a profile picture, username and status. This information is saved, as the attacker will need it later when hijacking the actual account.

As an alternative, we could also use a real burner phone or a little gimmick called WhatsAllApp to obtain the aforementioned information. WhatsAllApp is a Chrome extension, that enables you to gather WhatsApp profile pictures, statuses and usernames based on any given phone number, even without adding these to your contacts.

The next step must happen quickly and this is where it starts to get criminal. Our attacker steals the CEO’s phone and instantly registers a WhatsApp account on the Android VM (or burner phone), using the CEO’s phone number. Of course, this will only work if the CEO’s phone displays incoming messages on the lock screen. The SMS verification code is then used to register WhatsApp on the burner phone or in the VM. From now on, all incoming WhatsApp messages will show up on the attacker’s WhatsApp. This works with other messaging apps as well. Of course, the attacker cannot see the chat history, but he will be able to interact with the contacts from that point on and possibly gain vital intelligence.

Using this technique could give an attacker a 1-2 day timeframe to hijack WhatsApp and other messaging apps. As soon as the CEO notices his phone is stolen, he will obviously have his phone and SIM card locked. However, how many people would actually think about giving all their contacts a heads-up that they currently are not available? Quite a challenge without a phone.

So much for the theory behind such an attack. I have noticed that my colleague’s phone displays messages on the lock screen and his wife texts him quite often. I decided to hijack his phone this morning.

While he was in a meeting across the hall, he left his phone on the desk. I used his phone number to set up a WhatsApp account on my Android VM. The SMS verification was immediately visible on his lock screen, I didn’t even have to touch his phone.

After entering this code, his account was mine! Of course, I used his profile picture, username and status in the hijacked account. Shortly afterwards I received the first incoming message. It was sent by his wife, asking about their lunch plans for the day (she works nearby). I texted back and suggested pizza, upon which his wife named a meeting place and time.

When my colleague returned from his meeting, I was happy to inform him that he would be meeting his wife at 1230 in front of the mall and that they would have pizza.

There are several lessons to be learned here:

DO NOT leave your phone unattended (especially around me)!
DO NOT publically disclose your WhatsApp profile information (profile pic, username, status)!
DO NOT enable your phone to display messages on the lock screen!
If your phone is stolen, try to inform your contacts!

And as of now I will live in fear, because I am sure my colleague will retaliate this prank soon.

MW-OSINT / 27.02.2019

The World’s Best Sock Puppet…Not!

There are lots of great guides on how to create sock puppets. Rather than showing you a good example on how to do so, this post shows a horrible example that has been used in a recent phishing attempt.

I received a request to connect on LinkedIn from what clearly is coming from a badly created sock puppet. This request is actually a cheap phishing attempt, aimed at getting a hold of my phone number. Basically, the perpetrator made every mistake in the book when creating the profile. Let me walk you through the red flags I encountered. Or: How not to create a sock puppet!

Red Flag 1:

Bad English. Have a look at the message I received.

When looking at the vita, it is clear that Liya Lei should have better English skills!

Red Flag 2:

No contacts (blue box). As you can see, the profile has no listed number of contacts. This is an indicator that it was just recently created or that it is not well-tended.

Red Flag 3:

UKTI does not exist anymore (red box). UKTI stands for UK Trade & Investment, a UK government department working with businesses based in the UK. In July 2016, UKTI was replaced by the Department for International Trade. Again, either this is just a bad sock puppet or an account that is not well-tended. In both cases, it does not seem trustworthy enough to hand over my phone number to.

There are some additional steps that can be conducted to verify accounts. The first step is, of course, running the name through Google. In our case, it did not produce any results directly linked to the person shown in the picture. Furthermore, a reverse image search should be performed as well. Forget Google, use Yandex for this. Unfortunately, neither Yandex nor Google were able to find the picture.

Another method to verify LinkedIn accounts, is searching for the person’s email. Assuming the account is real, we should be able to identify a company email address. A quick Google query reveals that the domain ukti-invest.com was among those used by said organization. Next up, run the domain through hunter.io to gain information on the pattern used for their email addresses.

Ukti-invest.com uses “firstname.lastname”, so we can now check if an email address belonging to Liya Lei exists. I checked the email address on verifyemailaddress.org and it clearly shows that while the domain exists, the email address we provided does not.

I also tried a couple variations, including different domains, such as gov.uk, as well as other naming patterns just to be sure.

Following these steps, I have pretty much proven that Liya Lei’s account is a total hoax. A very bad sock puppet set up to phish my phone number. A final note to whomever tried to fool me:

Dear Sir or Madam,

Next time try harder! There are plenty of guides out there on how to build a credible sock puppet. Your cheap attempt is actually quite insulting and did not even push my OSINT skills to a limit.

Yours sincerely

MW-OSINT / 21.01.2018

Covert Operations in a Digital World

Even spies leave behind a digital footprint. Through social media profiles and various leaks they can be identified and their clandestine activities exposed. In the digital age it takes more time and effort to conceal covert operations, requiring new approaches as early as during their recruiting.

Covert Ops in a Digital World2.jpg

The recent uncovering of Russian GRU agents accused with the attempt to poison former Russian spy Sergei Skripal, as well as the exposure of Saudi Arabian spies in the murder of Jamal Khashoggi clearly show the problems intelligence services are facing when conducting covert operations.

Investigate journalists, such as the Bellingcat team, were able to identify the suspected culprits, often using crowdsourcing to do so. These two examples have proven how effective and timely the wisdom of the crowd can be. Another reason for the great results achieved in these online investigations, is the fact that the contributors to each investigation were highly motivated: they did not make these findings because they had to; they wanted to unravel the mysteries surrounding aforementioned cases.

Both times, blatant mistakes made by the operatives left a paper trail to follow, ultimately leading to the identification of several members of Russian and Saudi intelligence services. Not accounting for the various slipups, the main problem is that all culprits do work for their nation’s government and/or intelligence services and this was too transparent. The GRU operatives had addresses registered to known GRU locations, one of the Saudi operatives is seen in pictures where he appears to belong to the close protection team accompanying Saudi crown prince Mohammad Bin Salman on travels. These are just two examples showing links between the individuals and their governments.

The question remains, how an intelligence service can conduct covert operations that actually remain covert. One of the most obvious solutions to counter this problem is minimizing an operatives’ digital presence. This can be achieved fairly easy. Covert operatives should stay away from social media and press coverage. However, an old IT-saying states: “There is no patch for human stupidity.” Due to this, there will always be a margin of error, undisciplined individuals making exactly the mistakes leading to their public exposure. Massive CCTV coverage is causing another problem. It is impossible to travel nowadays without being filmed or photographed. As soon as these pictures of individuals are published in news and on social media, crowdsourcing kicks in. Maybe this individual was seen entering a government building, maybe a former government co-worker recognizes him. Although the former co-worker should probably keep this information to himself rather than risking legal consequences (many have signed some form of non-disclosure agreement), this does not stop it from happening. Again, human error stands in the way. In conclusion, intelligence services should try to rule out human error as much as possible. Regular screenings on intelligence employees aimed at searching for compromising information online could help counter these exposure threats in a timely manner. Another approach would be to decrease the amount of people who actually know of the covert operative. One radical, yet most likely successful approach could be keeping covert operatives away from government entities.

Let me elaborate on this. As soon as an individual enlists within a government entity and becomes part of this system, bureaucracy takes its toll and the individual is listed in numerous databases for mainly administrative reasons, also increasing the number of people who know of his existence. Travel expenses, payment processes and even journeys to known government sites leave plenty of breadcrumbs to follow and to identify someone as a government employee. In many countries, once you are on the government’s payroll, it is highly unlikely you will ever leave the comfort of having this government job and the benefits that come with it.

What if a covert operative never actually worked for the government?

The scenario I am about to explain might sound like it is from a Hollywood movie script, but it might be the only feasible way to conduct future covert operations. It all starts with proper recruiting. Identifying suitable candidates will be challenging and I will not discuss what traits are essential to become a perfect spy. Although former military members might be the first choice, their military service might be what uncovers them in the future. Let us look at the following fictional career:

A young, fit 18-year-old named James appears at a police or military recruiting office and expresses interest in an intelligence, investigation and/or special forces career. He achieves outstanding results in the following assessment center. These results are noted by the intelligence service, upon which they approach the potential recruit. Of course, intensive screenings are conducted beforehand and at no point is he invited to official government sites. All contacts are conducted by a dedicated handler. The used modus operandi is basically the same one used when acquiring HUMINT sources.

James receives an offer to work for the intelligence service but not in the intelligence service. He receives a scholarship to study political science at a renowned university, earning a degree which will provide the basis for his future civilian career. The scholarship is payed for by a complex system of front companies, eventually ending in some sort of charity. During his studies, James uses the semester breaks or long weekends to train the many skills needed for his covert intelligence service job. Officially, he is on long backpack tours around the world or other types of vacations. This training method takes much longer and is conducted individually at inconspicuous sites. However, after 3-4 years of part-time training and smaller operations during his university sojourn, James should be able to conduct covert operations.

After his studies, James receives a job in a worldwide consulting company. Of course, some strings were pulled in the background to enable and promote his civilian career. From time to time, James has to oversee projects in other cities or countries. This is the cover needed to enable worldwide travel to conduct covert intelligence operations. These projects could actually originate from government entities and thus fit to the intelligence operation.

After a certain time as a covert operative, James is removed from the operational line of duty. The compensation for his intelligence work could then be a non-covert job within the intelligence service (or another related government entity) or a severance pay.

This description is very short and is lacking many of the challenging details. I would like to point out a couple of interesting aspects to why this concept might actually be worth the effort:

The recruit could be dismissed at any time during the training program without major consequences. Other than his handlers, he does not have deep insight into the intelligence service, its locations or operations.
Providing a college education and kickstarting a promising civilian career, as well as offering an interesting field of work in the intelligence sector should prove extremely motivational.
The civilian career, when guided by the intelligence service, would deliver the best cover story for operations.
Failed operations could be denied easier by government entities. In this case, a statement like the recent Saudi “rogue operative theory” would pass easier.

Even though the ratio of supporting intelligence personnel assigned exclusively to such an external covert operative is higher than compared to the amount of supporting staff for regular intelligence employees, the external covert operative in total has less exposure to intelligence personnel. Regarding training, financial and operational planning, everything could be kept in a smaller yet highly professional scale.

Who knows, maybe these techniques are already in use by some intelligence services worldwide. That is probably the reason we never hear about it. Maybe the person sitting next to you on the plane is not just the business traveler he pretends to be.

MW-OSINT / 24.10.2018

Strava als Ermittlungstool

Strava, ein Soziales Netzwerk zum Tracking sportlicher Aktivitäten mittels Wearables, war in der Vergangenheit in Verruf geraten, weil aus seiner Globalen Heatmap anhand der aggregierten Aktivitäten der Nutzer unzählige militärische Basen, Patrouillenwege sowie geheime Einrichtungen diverser Nachrichtendienste abgelesen werden konnten. In die Heatmap hineingezoomt, gelangte man sogar zu den Profilen der einzelnen Sportler. OPSEC sieht anders aus.

Der Aufschrei war groß, etliche Militärs erwogen kurzerhand ein generelles Verbot der Fitness-Tracker. Strava reagierte umgehend, aktualisierte die Heatmap und verpflichtete sich, „die Privatsphäre unserer Sportler zu respektieren und eventuelle Bedenken bezüglich der Sensibilität einzelner Informationen zu adressieren“.

Doch auch nach der Aktualisierung der Heatmap, lassen sich aus den von Strava veröffentlichten Daten sensible Informationen gewinnen. Strava selbst weist auf seiner Webseite explizit darauf hin, dass trotz eingeschalteter Erweiterter Privatsphäre „Aktivitäten immer noch an öffentlichen Orten wie dem Flyby, Gruppenaktivitäten und in Segmenten sowie in öffentlichen Clubs und Herausforderungs-Bestenlisten sichtbar sind.“ Im Klartext heißt das, über die Segmentbestenlisten gelangt man zu den Namen und Profilen der einzelnen Sportler.

Wie lässt sich diese Erkenntnis nun für Ermittlungen verwenden?

Stellen wir uns folgendes Szenario vor: Am sogenannten Amphibientümpel im Forstenrieder Park südwestlich von München wird am 18.07.2017 eine unbekannte Männerleiche gefunden. Anhand der gefundenen Spuren lässt sich mit Sicherheit sagen, dass das Opfer am späteren Fundort getötet wurde. Durch die Obduktion kann der Tatzeitraum relativ genau eingegrenzt werden: am späten Nachmittag des 16.07.2017.

Der Forstenrieder Park ist bei Sportlern äußerst beliebt. Tagtäglich sind Dutzende Läufer, Wanderer und Radfahrer auf dem Waldweg, neben dem die Leiche gefunden wurde, unterwegs. Möglicherweise hat einer von ihnen am Tattag etwas Auffälliges beobachtet?

strava1

Die in OSINT geschulten Ermittler prüfen unter anderem auf Strava, ob der besagte Waldweg ein Lauf-Segment ist. Und tatsächlich wurden auf dem Segment am ermittelten Tattag zwei Bestleistungen erzielt. Über die Bestenliste gelangen die Ermittler zu den vollständigen Namen der Sportler und darüber zu den Nutzerprofilen inkl. Profilbildern.

strava2

Einer der beiden Sportler hat die Erweiterte Privatsphäre aktiviert, so dass man seine Aktivitäten auf seiner Profilseite nicht einsehen kann, wenn man ihm nicht folgt. Dazu müsste der Nutzer seine Erlaubnis geben.

Der andere Sportler dagegen hat alle Informationen öffentlich gemacht. Er nutzt Strava schließlich, um sich mit anderen Sportlern zu messen. Die Ermittler können sich durch seine Aktivitäten klicken und sehen, dass er den Lauf, bei dem er auf dem Segment die Bestzeit aufgestellt hat, um 16:59 Uhr startete. Er war zum vermuteten Tatzeitpunkt also ganz in der Nähe des Tatorts.

strava3

Dank der Klarnamen ist es den Ermittlern ein Leichtes, den Sportler ausfindig zu machen. Sie kontaktieren ihn umgehend und bitten ihn um Mithilfe bei der Aufklärung des Verbrechens. Der Läufer hatte von dem Fund der Leiche noch gar nichts mitbekommen. Aber er erinnert sich, dass ihm bei seinem Lauf etwas aufgefallen war: In unmittelbarer Nähe des Amphibientümpels, halb zwischen den Bäumen, hatte ein Kleintransporter eines örtlichen Handwerksbetriebs gestanden. Das war ihm zwar merkwürdig vorgekommen, er hatte der Beobachtung aber keine weitere Bedeutung beigemessen. Doch dieser Hinweis führte schlussendlich zur Ergreifung des Täters.

Die Quintessenz: OSINT sollte integraler Bestandteil aller Ermittlungen sein. Im vorliegenden Fall konnte durch OSINT-Methoden ein Zeuge ermittelt werden, der die entscheidenden Hinweise zur Aufklärung des Gewaltverbrechens lieferte. Dazu bedarf es aber versierter Ermittler…

Sebastian Schramm / 24.08.2018