Social Media around the World

When most people speak of social media, the have the ‘Big 3’ in mind: Facebook, Instagram & Twitter. But social media is so much more than just these three platforms, especially when it comes to OSINT on intelligence targets that don’t speak English.

In OSINT investigations we often end up scavenging social media to find information on our intelligence targets. Who are they connected to? Where have they been? What are their interests? These and many more questions can be answered by having a look a person’s profile. However, social media is constantly evolving and platforms that were relevant yesterday may not be relevant tomorrow. When I ask my daughter about Facebook, she says: “Facebook is for old people”. Thus, she does not have an account there. You would most likely find her dancing in TikTok videos, as with many other Generation Z youths. So age clearly defines which social media platforms are used. Another defining factor is the cultural background someone has. Maybe Facebook was never that big in that person’s country. The following graphic shows the evolution of social media worldwide and how Facebook became the most used platform. However, in some countries other platforms still have the upper hand and not all ‘legacy’ platforms overtaken by Facebook have been shut down. In this article I would like to give a brief overview of some of the lesser known platforms that may be useful for OSINT investigations.

VKontakte & Odnoklassniki

If your intelligence target is from a Russian-speaking country or has a Russian cultural background (or is a right-wing idiot that thinks he is being censored on Facebook), chances are high you might find this person on one of the Russian Facebook clones. The platforms VKontake (‘in contact’) and Odnoklassniki (‘classmates’) are very similar to Facebook when it comes to the functionality offered and the basic OSINT research techniques that can be applied here.

Above you can see a VKontakte profile. A profile picture, some more detailed information including a birthdate and current residence city, a friend list as well as posts and pictures. Pretty much what you can find on an average Facebook profile. As with other social media platforms, a user can choose to alter the privacy settings to hide information, so some profiles may not have an open friend list or may not share all posts with the overall public. An interesting feature on VKontakte is in the top right of the image: information when the profile was last active. In OSINT this is really helpful to figure out if a user is still active on the platform, even if no current content is posted. In many cases this last activity will lead back to the use of VKontakte as a messenger. People might not post content anymore, but will stay В Контакте (in contact) with others through this platform. The search functionality of VKontake is in some ways superior to what we now have on Facebook. At the top of the page is a search box. Filling in a search term here will enable us to browse through different categories of results and narrow these down by adding additional filters.

As you can see, you can filter people by age range, birth date information and even their views on smoking an alcohol. Posts can be sorted by the number of likes or the mentioning of specific links. All in all, there are some pretty neat filters in here.

Odnoklassniki is very similar, having friend lists, a date of birth on most profiles and information when the user was last active. The good thing with both VKontakte and Odnoklassniki, is that they accept multiple language settings, so you can use the platform in English and also a couple of other languages. If you search for names in Latin script, it will also show you corresponding results in Cyrillic script.

The last activity is right underneath the profile name and the searches in Odnoklassniki offer filters just like in VKontakte. They even allow users to add holiday destinations, which are also a filter criteria.

As I mentioned, this article is just a quick overview of some foreign social media platforms. There lots of other cool OSINT techniques that can help research here, including third-party sites to search by profile pics or sites that help with geo-referenced searches. But let’s leave that for future blog posts. Another example I want to show is very popular in the Persian-speaking community.

Facenama

Facenama is a big social media platform mainly used in Iran. At quick glance on SimilarWeb shows that this site is also accessed from other countries, as there are Iranian communities throughout the world.

Facenama looks very much like Facebook. Even the coloring scheme is identical (to the old Facebook UI).

Unfortunately, there is no way to change the language settings, but luckily the Google translate browser extension works quite well here.

The search bar in the top right of the page will enable you to search for user profiles. Just remember that the default language is Farsi, so most profiles will be in Arabic script (including profile names) and typing will occur from right to left.

The profiles will have the same type of information we have seen in the Russian sites: date of birth, friends, posts and much more (if these aren’t hidden due to privacy settings). Remember that dates will be shown in Persian, so you’ll probably have to use a calendar converter to make sense of these dates.

I could go on for hours listing and showing social media platforms: Gab for right wing nut jobs, Stayfriends for old German people, NK for Polish people and don’t even get me started on Chinese social media. The bottom line is, that there is more out there than just the ‘Big 3’ (Facebook, Instagram, Twitter). Before you start investigating someone, you should figure out where you might find these people online. Their age, culture, language, country of origin and personal taste will affect their choice of which web platforms they use and these might not always be in English. So, in the ongoing discussion of what I would like to get better at in OSINT, I didn’t choose to learn programming languages such as Python to automate tasks. I’d rather get a better grasp of languages (Arabic, Farsi, Russian, etc.) in general and master tools that help translate to help bolster by research efforts.

Matthias Wilson / 04.10.2020

The Impact of OSINT on Christmas

Proper intelligence is vital to prepare military and law enforcement operations or to provide information to political and business leadership prior to decision making. However, these are not the only people relying on good intelligence to get the job done. I had the honor of interviewing a very special person on his views of intelligence and how his organization utilizes it for one of the most challenging tasks known to mankind.

Sir, it is such an honor to have you here. Tell us a little about yourself. What exactly is your job and how does it involve intelligence work?

I go by many names, but please just call me Santa. I am in charge of a large organization tasked with bringing joy and fun to children worldwide on Christmas Eve. While I’m pretty sure you all know what I do during the Christmas night, not many people know what happens prior to this.

My organization and I have roughly 24 hours to deliver presents to children who deserve them. In order to accomplish this, a lot of planning is necessary and this planning is based on the information I receive from an intelligence agency within my organization. In Santa’s Secret Service, or S3, we mainly conduct GEOINT along with OSINT to make sure everything runs smooth on that one special night. Oh, and don’t confuse us with the Amazon web service.

Santa, while most of my readers are acquainted with terms such as GEOINT and OSINT, could you please explain what they are and possibly provide a use case from your organization.

Sure. I only have a limited timeframe to make sure I deliver everything to the right address. The route I take has to be carefully planned. The number of children on this world is steadily growing, more deliveries leave less room for mistkes. Even though my sleigh travels at an incredible speed…

How fast and how does that work?

I’m afraid that is classified. In order to properly plan the route, I rely on precise satellite imagery and maps. Imagery and maps from search engine providers are not up to date and commercial satellite imagery is not detailed enough. Keep in mind, my team has to figure out the best way into a chimney. We need a resolution of less than 0.3m to do so. Before Christmas, my sleigh is outfitted with an ultra high resolution imaging system and flies several sorties. While the actual collection of the imagery does not take that long, creating maps and the final route based on this is a bit more time-consuming. The whole process I just described is referred to as geospatial intelligence, or GEOINT.

Wow, that alone is probably a large amount of data collected each year. How do you process such massive amounts of data?

We have our own server infrastructure at S3. Located in vicinity of the North Pole, our energy consumption is lower than usual, because we have a natural cooling system.

 What happens after you have mapped the world?

I forgot to mention one thing. In order to plan the route, we need to know who will receive a delivery. Luckily, I have information on the address of each child from a classified source. But, does this child even deserve anything? We have to figure out who was naughty and nice. A lot of this is done through open source intelligence, or OSINT.

While we could use classic signals intelligence (SIGINT) to tap into communications and try to answer the question who is naughty or nice, we have found that OSINT provides the best “bang for the buck”. S3 has a very large team of OSINTers, who mainly monitor social media activities.

What exactly is your team looking into?

My OSINTers start off looking into profiles of the children, but not only to see how they behave. Depending on the region they live in, the platforms they use will differ. From Ask.fm to Weibo, there are many differnt sources to look at. We have seen TikTok blow up over the past months, but we also still obtain a lot of information from “older” platforms such as Facebook and Pinterest. These platforms also provide leads on the interests of our targeted subjects, which enables my organization to match them with the perfect present. We not only look at the children, but also monitor profiles of their family and friends, since relevant information is hidden here as well. As you can see, this is all a very deep intrusion into personal privacy. Therefore, we have very strict rules on how to handle this data, a massive auditing and compliance system and constant trainings for my team. If you thought GDPR was challenging, you wouldn’t want to know how much effort we put into protecting the privacy of our subjects!

Many children nowadays are active in closed communications, such as messengers, or they have restricted public access to their acounts by changing their privacy settings. How do you cope with this?

There are two different approaches we can take here. The first one is what you would call virtual HUMINT, or VUMINT. We try to place someone within a closed chat group using a false persona. For example, a group of friends has a WhatsApp channel with 20 participants. Using OSINT, we create a sock puppet credible enough to be invited into this group. In cases in which this works, we then can then instantly monitor 20 people. Of course, such actions are subject to much stricter rules and regulations that normal OSINT and are not performed often.

The second approach would be a classic computer network operation, or “hacking” an account. This is very rarely done and the methods and techniques are highly classified.

What about children who don’t have access to modern communications?

In this case, we rely on classic human intelligence, or HUMINT. Throughout the world, we have a network of sources directly providing us information. A lot of this is hearsay, so we try to confirm information with other sources before processing it. This actually also applies to data won through OSINT.

However, I would like to point out that at the end of the day we will never gather everything on everyone. Have you ever wondered why a spoiled and misbehaved child you knew received a nice present anyway? No matter how much effort we put into intelligence collection, there will always be a delta between what information is out there and which information we have obtained. I think that is the nature of intelligence work in general.

Circling back to OSINT, how does S3 ensure that they are up to date on new tools and techniques?

We do OSINT to enable OSINT. Of course, we follow #OSINT on Twitter and we also have someone monitoring osint.team as well as various blogs such as osintcurio.us and your blog.

Wow, I’m honored to have made it on S3’s reading list. I know you are quite busy, so we can wrap it up here. Is there anything else you would like to add?

Merry Christmas, happy OSINTing and I wish you all the best in 2020!

cropped-desktop-2.png

Matthias Wilson / 22.12.2019

Researching Right-Wing Extremism in Central Europe

How to start investigations on right-wing extremists? Work your way through multiple social media platforms and combine information to generate leads!

The recent Iron March Leak once again showed the extent of right-wing extremism within our society. This leak provided a massive mount of data to conduct online investigations. While Iron March was shut down, the individuals behind it still use many other platforms to disseminate their thoughts and ideas and to communicate among each other. Of course, the new communication channels they use won’t be found with a mere Google search. In order to find such sites, we will have to follow the digital breadcrumbs across various social media networks. In this article, I would like to show starting points for OSINT research and how to work your way through different platforms to identify potentially relevant information when tracking down right-wing extremists.

Looking through social media, we will unfortunately find lots of people that follow a racist or fascist ideology. These people might not be the actual targets we are looking for, but they could lead us to them. Especially in Germany and other central European countries, many people have left Facebook and Twitter after their accounts were temporarily suspended or deleted upon sharing hate speech, which under certain circumstances is a criminal offence. They found refuge on the Russian Facebook-clone VKontakte (short: VK) and Gab, as an alternative to Twitter. In order to access information on these platforms, we will of course have to create sockpuppets. VK also allows logging on with a Facebook-account, as do many other social media platforms.

Let us start our research from scratch. First, we will have to identify individuals that might be worth investigating. Since many of these individuals think of themselves as “patriots” in Germany, searching for this term might lead to some initial results on VK.

1

2.png

Et voilà, the first VK-group to investigate. As you can see, this group also cites a Facebook-page. However, the Facebook-presence has been deleted and does not exist anymore. Going through the posts on this page and having a look at the members clearly shows that we are on the right track. Below are profile pictures of some of the members. Many images shown here, such as the swastika, are banned by law in Germany. Yet, on VK German citizens are free to display their ideology without any notable repercussions.

3

While the information posted within the VK-Group “German Patriots” might not lead to real extremist sites, the information shared by members of the group on their personal profiles could get us there. With no way of automating the next step, one of the most important OSINT traits is now needed: perseverance. This means we will have look at a number of these personal profiles manually to find new leads. Instead of going through all 2000+ member-profiles, let us concentrate on the ones with the most disturbing profile pictures. One interesting aspect during this investigation, is the fact that many people that can be found here have Russian-ancestry. This means we might also find information on another Russian social platform called Odnoklassniki (short: OK). Keep this in mind when conducting OSINT on people of Russian origin.

It doesn’t take long and we find hints towards the use of other platforms and communication channels outside of VK. Some individuals have posted their Skype-usernames, some link Telegram channels. One post from January 2018 describes an independent message board outside of Facebook and VK. The author invites people to join this outside platform by commenting or liking the post, after which he will get in contact with them and invite them to the newly created site. Interestingly, he doesn’t disclose the name or URL of his VK and Facebook alternative.

4

The author hasn’t publicly been active on VK since this post, although he did access it just two days ago. VK displays the last time of user activity, a useful feature to determine if the account is still active, even if nothing is publicly posted.

5

Regarding the unspecified platform mentioned above, I remembered stumbling upon such a site while conducting a similar search on Facebook. There I had also started by looking for profiles and pages containing derivations of “patriot”. This led me to a page called “Patrioten-Treff”, promoting a Facebook-like platform.

6.png

It turns out that this project started in early or mid-2017 and by December 2017/January 2018 it had opened to public. It was exactly the type of right-wing extremist forum I was looking for.

7.png

8.png

Online shops, racist discussions, team speak servers, organized events; “Patrioten-Treff” had it all. By linking the information I had found on VK and Facebook, it is likely that the person I had come across on VK was actually part of the team behind this new right-wing social media alternative. By early 2019 it was offline, but the content displayed there was more radical than anything seen on standard social media. Regarding the reason it shut down, it could be out of lack of funding. Before “Patrioten-Treff” was taken down, they requested funding to cover the expenses. Payment could be made by Bitcoin, direct transfer, Alipay and Paypal. Again, providing further leads to conduct OSINT investigations.

9.png

Patrioten-Treff had 2,500 users and was not even able to raise 80 Euros a month. I guess right-wing extremists are a bit stingy. Next to financial support, content moderators were needed. These moderators would communicate using WhatsApp.

10.png

While Patrioten-Treff is currently offline, the Facebook-page continues to be active every once and while. A recent post from September 2019 shared a Telegramm channel of the German neo-Nazi party Der III. Weg.

11

In this cross-domain investigation, manually searching for information on one social media platform led us to a plethora of new starting points to dive into. From VK to Skype, from Facebook to Telegram, from Bitcoin to WhatsApp; there are now plenty of leads to follow up upon. Not all leads can be investigated with OSINT, but this type of intelligence might provide the information we need to conduct Virtual HUMINT (VUMINT), enabling an infiltration of the new message board, Telegram channels or WhatsApp groups. I didn’t go that far, but I’m sure someone or some organization did.

By the way, the methodology described above can also be used to track other extremist groups. I wonder if other groups are just as cheap as the right-wing that couldn’t raise 80 Euros to host a website?

Matthias Wilson / 01.12.2019

Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

1

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

2

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to  TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

3.png

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.                                       4.png

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

6

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

7.png

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

Matthias Wilson / 13.09.2019