Tracking a Hacker with OSINT

My blog has been hacked! Someone defaced the page and looking into the technical details didn’t provide any leads to the culprit. Maybe OSINT can help in this case.

1

Today’s article will look into cyber attribution and how OSINT can help identify the perpetrator of a cyberattack or other hacking exploits. Keep in mind, as long as the perpetrator does not make any mistakes it will be hard to track him down. Even if the actual person behind an attack cannot be found, hints on the hacker’s background may help narrow things down to a specific target group or origin. Let us have a closer look at the defacement shown above.

As stated, looking into technical details (IP-address, code, etc.) did not reveal anything useful. So we have to take a closer look at the tag and handle that was placed on our site. A reverse image search was conducted and did not show any results. The hacker goes by the name “drag0nw1ng١٩٨١”, this exact search-term also came up inconclusive. The Arabic numbers in the handle may be an indicator for the hacker’s cultural background. Next up, we will search for the handle in different variations, including a “standardized” one:

2

Not many results to look at here, so we can easily go through each and every page. Next to a Russian PlayStation profile named Dragonwing1981, we stumble upon some interesting results that might be related to our case.

3

Several data-breaches and leaks show an email address using the exact name. Dragonwing1981@yahoo.com was registered to a member of an internet forum called Kataib Hezbollah. This forum in Arabic language no longer exists and was used to disseminate terrorist propaganda. Since our hacker used Arabic numbers in his handle and the handle seems quite unique (based on the low amount of Google results), the email address might be linked to our guy.

The oldest mentioning of “dragonwing1981” came from another internet forum. In August 2004, the forum was hacked by someone with the email address we found before:

4

Research done by the forum members linked the perpetrator to Iraq:

5

Looks like things are coming together. There is one more approach we can try, in order to back our claims further. When using the password reset function in Yahoo, it gives you parts of the phone number (without the country code). Let us see what happens, when we try to reset Dragonwing’s password:

6

07 is the operator code used by Iraqi mobile networks and the length of the number also fits Iraqi mobile phone numbers. Luckily, Yahoo (unlike Google) displays the exact amount of digits of a phone number.

Let us review the evidence we have collected so far:

  • Use of Arabic numbers in the handle
  • Unique handle, not found often on the internet
  • Username and a related email address found in an Arabic internet forum
  • Email address used in a hack in 2004, identified as possibly originating from Iraq
  • Phone number linked to the email address possibly an Iraqi mobile phone number

Can we be sure that all these pieces of evidence are really linked to each other? Not really, but that is why we use words of estimative probability in intelligence analysis. Cyber attribution is not always about tradecraft, infrastructure or the malware/attack itself. Digging into individual actors may help shed light upon the origins of cyber-attacks and the OSINT process shown above should always be incorporated into any research effort as soon as “personal data” (e.g. tags, names, handles) is involved.

Of course, we could just send Dragonwing1981 an email and congratulate him on his defacement. However, unlike other stories on my blog, this one is completely made up and is based on a CTF-task I created for the OSINT courses I instruct. As far as I am concerned, Dragonwing1981 is innocent…

Matthias Wilson / 02.05.2019

The Nigerian Prince from South Africa

Great, another Nigerian prince in your inbox. Instead of deleting it, why not answer for a change. I did and it turned out to be quite interesting.

Last week, I received my first Nigerian prince scam mail (also known as 419-scam) in German. I assume someone put a lot of work into this, so I thought I would answer. Although the message was apparently sent from jefaturaestudiositurbi@valencia.es, I was to reply to wong.shiu@accountant.com. This email supposedly belonged to Mr. Wong, the banker who was handling the case.

Let us have a look at the message header first, before answering.

1

Even if I would have answered to jefaturaestudiositurbi@valencia.es, the email would have been sent to wong.shiu@accountant.com. I assume the email was not actually sent from the @valencia.es domain in the first place and that this was just used to bypass my spam filter. Next up, I wanted to see if I could find any leads to where the email was sent from.

2

The initial ‘Received’ entry in the message header points to a South African IP-address belonging to a mobile provider. It also appears to have been sent through a Huawei 3G/4G WiFi router.

Next up, I set up a new Gmail account to communicate with this Nigerian (South African) prince. Sure enough, I received an answer within minutes. The reply contained additional information regarding the deal and was clearly a very bad Google translation of an English text. Again, this message was sent from the same IP-address. We emailed back and forth several times until I was asked to provide some ID, an address and a phone number. So I did.

3.jpg

Apparently, Mr. Wong thought this was funny as well. For the first time I actually received a response that was not just copied and pasted from a pretext.

3-1

“You dey gather my fmt” – This actually translates to: So, you are one of those guys that collect my pretext. At this point, Mr. Wong also started using a different email to communicate with me: wong.shiu@mail.com. Again, I checked each message header. While several different IPs were used, they all belonged to South African mobile providers.

4

The conversation went on for quite a while and I was surprised that Mr. Wong kept answering.

5

The following day I received another scam mail that looked just like to first one. The only difference  was that the name of the banker had changed (and thus the reply email) and the promised sum of money was a lot higher than in the first email. It sure looked like this was also the work of my friend Mr. Wong, so I decided to answer to this new email as well.

6

Unfortunately, Mr. Wong did not answer any more. Looking into all the emails again, I could clearly see a pattern. Each IP-address could be traced to South African mobile providers and all emails were sent through Huawei 3G/4G WiFi routers. The language used also hinted towards Africa in general. Furthermore, over the course of two days I noticed that Mr. Wong began answering around 09:30 (CET), leading to the conclusion that he must have been in the same time zone (or nearby) if this was his 9 to 5 job.

If you ever try this yourself, please make sure to use a clean email address and do not download or open attachments. If you keep this in mind, you might have some fun with a Nigerian prince yourself. As for Mr. Wong:

Mr. Wong,

If you ever read this, feel free to contact me again. I can’t promise I’ll pay the advance fee you requested, but I’m always there for you if you need someone to chat.

Yours sincerely,

Matthias Wilson / 19.03.2019

Building a Hells Angels Database with Hunchly

Today I will teach you about Hells Angels and Hunchly and how one of these two is useful when looking into the other.

In the past year, I have worked two cases in which I stumbled upon links to Hells Angels while investigating individuals. I was surprised how much information people affiliated with this group shared publically on Facebook and other social media sites. Whether they were just supporters or full members, it became quite clear that they did not care about data privacy. Most profiles had open friend lists, some of them displaying thousands of friends. Hells Angels affiliates are not hard to find. You will likely stumble across one of the following acronyms and/or terms on their profiles: AFFA (Angels forever, forever angels), HAMC (Hells Angels Motorcycle Club), Support 81 (8 = H, 1 = A), SYL81 (Support your local Hells Angels), Eightyone.

There are a couple more, but this article is not about the Hells Angels per se. Since these individuals have so much open information on Facebook, their profiles are the perfect playground to try out Michael Bazzel’s Facebook tool on IntelTechniques.

I had just finished working on the first case and subsequently erased all the data linked to that case, when a second case soon revealed links to Hells Angels as well. If only I had saved some data from my first case. I roughly knew where I could start off, but most of this knowledge came off the top of my head and was sketchy. Before I started the second investigation, I made sure I wouldn’t make the same mistake again and decided to use Hunchly to save my findings. That way, if a third case with the same links should ever occur, I will have a great starting point. For those of you who do not know, Hunchly is a web capture tool. It automatically collects and documents every web page you visit. The best part is that it indexes everything, so you can search within the data afterwards. Using this amazing tool allowed me to create a fully searchable Hells Angels database!

First off, I created a new casefile and then let Hunchly collect Facebook friends lists of people affiliated with my target or any Hells Angels in the area my target originated from. As some of the profiles had thousands of friends, I used a little Chrome extension (Simple Auto Scroll) to automatically scroll down friends lists, so they would be captured in whole. Whenever I looked at profiles and found information that could not be automatically indexed, I would take notes in Hunchly or tag (caption) pictures. I have learned that a lot of intelligence can be obtained by closely looking at pictures on social media. In the following example, one Hells Angels member had obscured the tags on his vest. Based on the information in his profile, it became clear that he must belong to the Aarhus chapter in Denmark. I tagged this picture, meaning it would pop up if I ever searched for “Aarhus” in Hunchly.

1

I ended up tagging all pictures that included chapter names, functions, nicknames or general indications on the location. If I am interested in finding the security chiefs and weapons masters, all I have to do now is search for “Sergeant at Arms” or known abbreviations. Looking for “arms” gives me several results in Hunchly.

2

The first two are displayed because I manually tagged these pictures and added a caption. The third result is from a webpage that Hunchly captured, in which the person actually listed “SGT At Arms” as his current occupation. Hunchly also allows you to refine searches. I can narrow these results down and, for example, only search for Sergeants at Arms in a specific chapter. Searching for “arms + sacramento” only reveals one result, which I had captioned with the information I saw in the picture. As you see, the picture is actually mirrored.

3

All collected data is saved offline. Should the online profile ever change, be locked down or deleted, I still have a version to work with. By using Hunchly and remembering to tag pictures with captions and also take notes on webpages, I have created a useful database on Hells Angels Facebook profiles. From here on, it is also always possible to go to the live versions of webpages, so any updates can also be captured within the same casefile.

If you are not using Hunchly yet, I suggest you have a look at it. The use case described above is just one of many. Furthermore, if you ever come across friendship requests from people named “AFFA” or “HAMC”, you might want to think twice before accepting them. Or else you might wind up in my Hells Angels database.

Matthias Wilson / 07.03.2019

The World’s Best Sock Puppet…Not!

There are lots of great guides on how to create sock puppets. Rather than showing you a good example on how to do so, this post shows a horrible example that has been used in a recent phishing attempt.

I received a request to connect on LinkedIn from what clearly is coming from a badly created sock puppet. This request is actually a cheap phishing attempt, aimed at getting a hold of my phone number. Basically, the perpetrator made every mistake in the book when creating the profile. Let me walk you through the red flags I encountered. Or: How not to create a sock puppet!

Red Flag 1:

Bad English. Have a look at the message I received.

1

When looking at the vita, it is clear that Liya Lei should have better English skills!

Red Flag 2:

No contacts (blue box). As you can see, the profile has no listed number of contacts. This is an indicator that it was just recently created or that it is not well-tended.

Red Flag 3:

UKTI does not exist anymore (red box). UKTI stands for UK Trade & Investment, a UK government department working with businesses based in the UK. In July 2016, UKTI was replaced by the Department for International Trade. Again, either this is just a bad sock puppet or an account that is not well-tended. In both cases, it does not seem trustworthy enough to hand over my phone number to.

2

There are some additional steps that can be conducted to verify accounts. The first step is, of course, running the name through Google. In our case, it did not produce any results directly linked to the person shown in the picture. Furthermore, a reverse image search should be performed as well. Forget Google, use Yandex for this. Unfortunately, neither Yandex nor Google were able to find the picture.

Another method to verify LinkedIn accounts, is searching for the person’s email. Assuming the account is real, we should be able to identify a company email address. A quick Google query reveals that the domain ukti-invest.com was among those used by said organization. Next up, run the domain through hunter.io to gain information on the pattern used for their email addresses.

3

Ukti-invest.com uses “firstname.lastname”, so we can now check if an email address belonging to Liya Lei exists. I checked the email address on verifyemailaddress.org and it clearly shows that while the domain exists, the email address we provided does not.

4

I also tried a couple variations, including different domains, such as gov.uk, as well as other naming patterns just to be sure.

Following these steps, I have pretty much proven that Liya Lei’s account is a total hoax. A very bad sock puppet set up to phish my phone number. A final note to whomever tried to fool me:

Dear Sir or Madam,

Next time try harder! There are plenty of guides out there on how to build a credible sock puppet. Your cheap attempt is actually quite insulting and did not even push my OSINT skills to a limit.

Yours sincerely

Matthias Wilson / 21.01.2018

How I Became Ted Mosby

Remember Ted Mosby from the sitcom How I Met Your Mother? This fictional TV character inspired a pretext for social engineering in an actual investigation.

Not all investigations can be conducted solely online. Sometimes, information that is discovered on the internet has to be verified in the real world. Many of these cases then require certain social engineering skills to obtain access to otherwise restricted areas. One of the most important aspects of social engineering is the pretext used to present oneself. This is more than just a quick and simple lie, it requires the creation of a complete identity to impersonate someone that will be able to gain the trust of whoever you are using it against. A large portion of the pretexting process is actually OSINT: Gathering the relevant information in order to appear credible.

A while back, I was working on a case in which I had to verify the location of a certain company and try to figure out if the company actually did business there or if this address was just used as a mailbox. Google Street View was not helpful, as in most cases in Germany, and a quick walk-by revealed the address was a large gated town villa. No information on the target company was visible on mailboxes at the gate. To be completely sure, I had to gain inside access and in this particular case, my customer asked for conclusive evidence of my findings. The challenge was finding a way inside that would enable me to snoop around and even take pictures. Further research revealed that the town villa also accommodated a law firm, an advertising firm and an investment management company. I initially thought of posing as a parcel courier to gain entrance and then use a hidden camera to document what I found. However, this pretext came with lots of downsides. I would require a uniform, have to deliver a fake parcel (which would surely strike attention as soon they opened it) and using hidden cameras has always proven tricky in the past when trying to get quality images.

I did a little more OSINT research and found out the estate itself was designed and built by a famous German architect. It was one of his early works. At the time, I was just watching some old episodes of How I Met Your Mother. In one of the episodes, the main character Ted Mosby was giving an architecture lecture as a professor, boring his students with architectural facts. That gave me the idea to pose as a young architecture professor preparing a course on the style of architecture the town villa was built in. Of course, I would also need pictures of the house to point out certain style elements of the villa. With this idea in mind, I spent the next couple hours doing research and preparing my pretext. I learned quite a bit about the German historicism architecture of the 19th century and of course about the famous architect himself.

villa

The next morning I approached my target. Rather than ringing a doorbell and trying to gain access through the intercom, I choose to linger around the house and initially take pictures from the outside during a period in which I assumed people would be entering the estate to commence work. I planned to approach the first person I saw, tell them my cover story and hope to gain full access to the estate without raising suspicion. After all, I was just there to take a couple of pictures of the building itself. At this point, luck was on my side. The first person I encountered turned out to be the owner of the villa, who was in fact a direct descendant of the famous German architect that had built the place. This gentleman was so excited that a young professor wanted to use his estate as an example in class, that he happily invited me inside and allowed me to take as many pictures as I wanted. I received a complete tour, inside and out. I was able to take pictures of mailboxes inside the villa, have a peak into the office spaces and he told me about the current tenants, as well as answering my questions.  During this phase, I used all the architectural terminology I had learned to keep my cover upright.

In the end, I did not find any direct trace of the company I was looking for, nor was any office space for rent or any tenant moving out. However, I did see and take pictures of the internal mailbox belonging to the investment management company. This mailbox listed around 15 additional company names. Subsequent research linked one of those companies to the CEO of my actual target company and this proved to be a starting point for a whole network of letterbox companies.

That is the story of how I became Theodore Evelyn ‘Ted’ Mosby for a day and of course I did not use that name for my character. When I was a child, I remember my grandmother complaining about how harmful TV was and that what I watched was useless in real life. This one time, I guess I proved her wrong.

(By the way: No need in geolocating the villa in picture, it’s not the one from the actual case. However, it does look very similar)

Matthias Wilson / 09.01.2019

Image: CC BY 2.0 @HaPe_Gera (image cropped)

The Golden Age of OSINT is over

Change is coming and it will greatly affect the way OSINT investigations are conducted in the future. Who knows, in a couple of years completely different skill sets might be needed to handle online investigations. Are we prepared?

In the OSINT community we constantly have to deal with changes. New tools and new platforms are always on the rise, just as old platforms and tools become obsolete in an instant. Staying updated is a continuous challenge, much more than just one person can handle. Luckily, most members of the OSINT community are willing to share any new discoveries, especially on Twitter. Therefore, following the hashtag #OSINT on Twitter, as well as numerous OSINT-related accounts, is the first and most important step when working in any area that requires OSINT skills.

There is always a lot of chatter on the future of OSINT and unlike many others, I do not think that Python is the future of OSINT. Does OSINT even have a future? Let us fast forward to the year 2022 and have a look at online investigations then.

roads ends2

January 2022:

Over the past years, more and more people have been made aware of their own data privacy and this has massively changed the way they use online services. What started with the release of the ‘Snowden documents’ in 2013 and continued with massive data breaches, such as the Cambridge Analytica case made public in 2018, has led to the desire to share less information publicly. This development basically made Facebook obsolete and new platforms have arisen in its place. Although Facebook still exists, the data it contains only has historic value and cannot be used for current investigations, much like Google+ or MySpace a couple of years back. Even though Facebook tried to turn the tide by changing privacy settings, the damage done by many the data breaches was too much to convince users to maintain a presence on the platform. Nowadays, social media is more anonymous than before, modern platforms do not require or request real names and information shared is not automatically distributed publicly. For OSINT investigations, this means that a real name might not provide a starting point to search for someone online. The main starting point is now an obscured username, which is hopefully unique enough to be used in investigations. How can we identify a username, if we just have a real name to start with?

In modern social media this is almost impossible. Unlike the old Facebook, which gave us a display name and an account name (mostly based on the real name), today’s social media does not reveal the real name. So, either you know the username to start with or you are pretty much screwed. Of course, another possibility is searching ‘historic’ sites that have linked usernames to real names, such as Facebook or maybe even Twitter. There are also commercial databases and people search engines that offer these services for a small fee. However, if someone was OPSEC-savvy before 2019, he or she most likely will not be found online easily in 2022. Even with a unique username, the information that can be obtained from social networks is marginal, since everyone is well aware of their own data privacy. If you are not a part of your targets network, you will not see anything. No updates, no pictures. Even likes and other forms of indirect communication between accounts will not be publicly disclosed. This rendered many of the Python tools developed over the past years obsolete, as the data that can be scraped is mostly useless.

With that said, how does OSINT look today? In general, we have shifted from the passive gathering of information to more active means of collecting data. I call it virtual HUMINT (VUMINT). The objective of VUMINT is to infiltrate target networks during investigations in order to see information that is not openly available and possibly even interact with the target on a ‘personal’ level. Whereas sock puppets in 2019 where mainly used to gain access to social networks in general, sock pockets nowadays are needed to gain access to specific profiles of our targets and their closed networks. Now, more than ever, it is important to have lifelike and tailor-made sock puppets to achieve this objective. A blog post from 2019 is still useful and gives a good description of sock puppets and how they should be setup: The OSINT Puppeteer. Building a sock puppet for a specific account is not something that is done in a short period time, so receiving results through VUMINT takes much longer than information gathering through passive OSINT. Naturally, there is no guarantee that a target will add you to his or her network, no matter how good the sock puppet is. This means you might invest a lot of time in the creation of a sock puppet without achieving any notable results. In certain ways, it is very similar to a target-centric phishing campaign.

Another challenge in modern OSINT is the vast dissemination of unverified or untrue information on the internet. Everyone can post everything online in an instant and everyone wants to have news in a heartbeat, making it harder for press and media to thoroughly research events before releasing information. Media and press institutes that fact-check and verify first are losing the battle against quick-releasing competitors. The customer’s demand for instant information over reliable information has flooded the internet with rumors and ‘fake news’. During investigations, more and more time is spent conducting OSINT research on the credibility of data found on specific targets. Finding the original source of the information, the so-called Patient Zero, assessing its trustworthiness and then determining how and if the information can be used in our investigations. Today, it is not the actual collection of open source data that is the key, but the actual evaluation of this material.

One thing that has not changed, is the fact that the global corporations behind online platforms, and thus intelligence services, still have the possibility to use all the personal data on users however they desire. While OSINT collection and intelligence has become more challenging for everyone outside of these corporations and intelligence services, it is easier than ever for them to make use of personal data. Whether it is tailor-made advertising or extensive profiling through intelligence services, our data and of course ourselves are now more transparent than ever. There is no hiding from global corporations or intelligence services anymore if we want to use online services. Luckily (or unfortunately), the personal data is not sold or leaked as much as it was a couple years ago, limiting the benefit of commercial databases.

In 2022, the Golden Age of OSINT in investigations is over. The trends that started around 2015, e.g. automating OSINT, do not work anymore. Instead of learning how to code, maybe we should focus on social engineering a bit more. A good OSINT investigator in 2022, first and foremost, needs to be a good intelligence analyst and have some strong Human Intelligence skills.

Thank goodness it’s still 2019!

Matthias Wilson / 04.01.2019