Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

MW-OSINT / 13.09.2019

Unravelling the Norton Scam – Chapter 5

Never be too careless with what you post on social media. It might come back to haunt you one day and in the case of our investigations it sure led to some key findings on the scam network!

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

The ultimate goal of our investigation was to find the people behind the scam. So far, we had found fake personas and most of the WHOIS data was misleading as well. Of all the people we came across, there was still a reasonable amount of doubt that they were actually involved in the scam, or we couldn’t reveal their true identities for sure. In our hunt for the truth we also turned to social media, hoping to find someone connected to our case.

As previously mentioned, most names used to register websites were clearly fake. Nancy Wilson and Steve Dalton were among the favorites. However, we did notice that the majority of sites had Indian addresses in the WHOIS data. In particular, two addresses reoccurred often: one in Noida and one in Gurgaon (also known as Gurugram). We decided to find Facebook profiles that had visited both cities and that were also linked to East Peoria, the city in Illinois that the scammers posted on their websites. Maybe someone was careless enough and had checked into all three places. Of course, this was done a while back when the Facebook graph search was still working.

Jackpot! While we hadn’t expected to find anything on this wild query, one Facebook profile matched our search. This person, named Baljeet, was a very active social media user and constantly checked into places on Facebook. Among these check-ins were Noida, Gurgaon and East Peoria.

Intelligence collection always feeds on mistakes your adversaries or intelligence targets make, and Baljeet committed a major blunder here. Soon after, we found ourselves digging into Baljeet’s profile. It turns out, that he had frequently visited locations (marked in blue) in the vicinity of the office building (marked in red) which was found in the WHOIS data of the scam sites and in which we suspected the team of developers behind these sites to be located.

At the same time, we discovered that Baljeet registered a website with his full name and actual email address, which we had found in his Twitter timeline. This website was providing web design services to customers in the US. And guess what? The site was using the same address in East Peoria and also the same phone number as the scam sites! I decided to have a little chat with Baljeet on Facebook to confront him with this information.

The conversation went on for a while and Baljeet kept coming up with excuses and dodgy information on why his website was using the same address and phone number as the scam sites. After our talks, he actually took down both for a while, but the address is back on the website today. To us it is clear: Baljeet is definitely involved in this scam. You don’t just sit in India and coincidently use the same address (in the middle of nowhere) and phone number as multiple scam sites on your own site. You don’t just coincidently happen to work in vicinity of addresses we have attributed to the scam sites.

While looking into other social media profiles used by Baljeet, we came across other indicators that fit the overall picture. A couple days ago, he proudly posted the following on Twitter: A certificate of an advanced Google Analytics course (my browser was set to German when I opened the link).

As you can see, the information we won from social media research led to us a prime suspect in our case. Not only did we have a real name now, we also had a unique username, a pattern of life and enough information to verify his involvement in our scam.

Our social media research also led to many more key findings. One of the phone numbers we found in the scam sites’ WHOIS data was also posting job advertisements on Facebook.

A call center agent providing support to activate Norton? That’s exactly how our hunt started. Looks like it is all coming together! The information we gathered throughout our social media research was invaluable and had us dig even deeper into WHOIS data and source code from the scam websites, leading to unravelling the whole network behind it. But that is something for the coming chapters.

Sector035/MW-OSINT – 15.08.2019

Using Strava in Law Enforcement Investigations

Strava is social network used to track athletic activities with wearables that has been fallen into disrepute in the past, because its Global Heatmap featured the ability to pinpoint military bases and patrols as well as covert locations of intelligence services, based on the aggregated user information. Initally, zooming into the heatmap would also reveal the profiles of individual athletes. That isn’t exactly how you imagine OPSEC.

This sparked a huge outcry, and several nation’s militaries subsequently banned the use of activity trackers. Strava also reacted promptly, updating the heatmap and ensuring that they “respect your privacy and share your concerns about the security of information you may submit to Strava’s websites”.

However, even after the updates made, it is still possible to harvest sensitive information from the data published by Strava. Strava informs users via their website that if the Enhanced Privacy Mode is toggled on, “your activities are still visible in public locations like the Flyby, group activity features, and segment, public club, and challenge leaderboards”. The means that profiles of individual athletes can still be accessed through segment leaderboards.

Now how can we use this knowledge for law enforcement investigations?

Imagine the following situation: The body of an unidentified male was found on July 18^th 2017 near a pond named “Amphibientümpel” in the Forstenrieder Park in Munich. Initial crime scene investigations come to the conclusion, that the victim was murdered on site. The autopsy reveals that the victim had deceased during the afternoon of July 16^th 2017.

The Forstenrieder Park is favored among athletes. Dozens of runners, hikers and cyclists use the trail next to which the body was found on a daily basis. Maybe one of them had noticed something suspicious on the day of the crime?

Law enforcement investigators trained in OSINT check the Strava website to see if the aforementioned trail is classified as a segment. It is and on the day of the crime, two top times were added to the segment’s leaderboard. Via this leaderboard the investigators are able to access the profiles of these athletes, including the names of both and also pictures they have uploaded.

One of these athletes uses Enhanced Privacy Mode, hiding the athletic activities on his profile from users. To view these activities he must give consent to individual users and allow them to follow him.

The other athlete publicly provides access to all his data. After all, he is using Strava to compare himself with other athletes. The investigators go through his activities and notice that the run listed in the leaderboard started at 16:59 p.m. In conclusion, he was in the vicinity of the crime scene at the presumed time of death.

The athlete uses his real name in his profile, which makes it easy for the investigators to find him and contact him for further questioning. The athlete was unaware of the crime as of now. However, he did recall seeing a small truck parked in between trees near the pond that afternoon. According to his accounts, the truck belonged to a local crafts business. Although he had initially wondered as to why the vehicle was parked there, he hadn’t spent any thoughts on it after the run. This clue was vital to commence further investigations and eventually led to an arrest.

The quintessence of the story: OSINT should be integral part of all investigations. In our case, OSINT provided a witness and this witness’ accounts led to solving this violent crime. Nonetheless, this requires skilled investigators…

Sebastian Schramm / 31.08.2018