Intelligence Collection on the Train

Sometimes I miss my SIGINT days: Listening into my target’s phone calls and getting juicy intelligence out of this. However, you don’t always need SIGINT to eavesdrop on interesting conversations.

The company that I work for offers a broad variety of security products. When it comes to securing valuable data and information, most of our customers rely on technical solutions. However, the best firewalls and security suites will not help, if information is continuously disclosed outside of hardened IT-environments by careless employees. As a former SIGINTer I was always astonished about how much information my intelligence targets would openly share over non-secure lines. Now that I left SIGINT behind, I still have the chance to eavesdrop on conversations every once in a while.

I have a one-hour commute to work each day and the time I am on the train has proven to be a valuable social engineering and OSINT training ground. Two weeks ago, I was sitting on the train when a gentleman sat down next to me and immediately started making phone calls.

1https://unsplash.com/@jcgellidon

The second phone call went to a woman named Kelly Adams. I know this because I could see her name on the screen of his phone. I could hear everything he said and since his volume was cranked up, I could also hear parts of what Kelly had said. Curious as I am, I immediately googled Kelly. Based on what I had heard, I could narrow it down to three individuals. One woman working for a large German defense company and two others in IT firms. The topic of the conversation was a pretty significant retention bonus that Kelly would receive, if she decided to stay with the company and move to Munich. It turns out the company was currently relocating its headquarters to Munich.

As soon as the gentleman ended this conversation, he started writing emails on his phone. Again in plain sight and did I mention that I am very curious? It turned out his name is Andreas Müller. Searching for the combination “Kelly Adams” and “Andreas Müller” led to the exact company. Dr. Andreas Müller was the head of the research and development department of a large German defense company and Kelly was one of the leading project managers for a specific branch. I did not need any sophisticated OSINT skills here, a simple Google query and LinkedIn search was enough. Dr. Müller then sent the details of the retention bonus to someone named Alfred, whom I assume was in HR. If I would have been working for an opposing company, I could have easily used this information to counter the offer Kelly received. But wait, it gets even better!

Next up, Dr. Müller opened spreadsheets depicting the budget of certain projects. Dr. Müller was sitting on my right and I held my phone to my right ear, simulated a conversation and managed to get a couple pictures of his screen. As of now, I had seen enough and it was time to approach him.

“Excuse me, Dr. Müller. May I ask you a question?”

You should have seen the look on his face. Surprised and shocked, as he was clearly not expecting this. I asked him if the conversations and the emails he had looked at were sensitive. I told him what I had picked up from his conversation with Kelly and showed him a picture of the spreadsheet. Still shocked, he did not really know how to react. I explained my line of work and handed him a business card. Dr. Müller can consider himself lucky, usually I charge customers for this kind of consulting and I think he learned a valuable lesson.

Remember: No matter how good your cyber security measures are, the most important aspect is minimizing human error and taking security serious at all times. I have often read that there is no patch for human stupidity. I do not agree and I am sure that Dr. Müller has been “patched” after our train ride.

I guess I never will be able to let the SIGINT side of me go. I just love eavesdropping in on people, so be careful what you say in public or on your phone, you never know if someone is  listening!

Matthias Wilson / 26.03.2019

The World’s Best Sock Puppet…Not!

There are lots of great guides on how to create sock puppets. Rather than showing you a good example on how to do so, this post shows a horrible example that has been used in a recent phishing attempt.

I received a request to connect on LinkedIn from what clearly is coming from a badly created sock puppet. This request is actually a cheap phishing attempt, aimed at getting a hold of my phone number. Basically, the perpetrator made every mistake in the book when creating the profile. Let me walk you through the red flags I encountered. Or: How not to create a sock puppet!

Red Flag 1:

Bad English. Have a look at the message I received.

1

When looking at the vita, it is clear that Liya Lei should have better English skills!

Red Flag 2:

No contacts (blue box). As you can see, the profile has no listed number of contacts. This is an indicator that it was just recently created or that it is not well-tended.

Red Flag 3:

UKTI does not exist anymore (red box). UKTI stands for UK Trade & Investment, a UK government department working with businesses based in the UK. In July 2016, UKTI was replaced by the Department for International Trade. Again, either this is just a bad sock puppet or an account that is not well-tended. In both cases, it does not seem trustworthy enough to hand over my phone number to.

2

There are some additional steps that can be conducted to verify accounts. The first step is, of course, running the name through Google. In our case, it did not produce any results directly linked to the person shown in the picture. Furthermore, a reverse image search should be performed as well. Forget Google, use Yandex for this. Unfortunately, neither Yandex nor Google were able to find the picture.

Another method to verify LinkedIn accounts, is searching for the person’s email. Assuming the account is real, we should be able to identify a company email address. A quick Google query reveals that the domain ukti-invest.com was among those used by said organization. Next up, run the domain through hunter.io to gain information on the pattern used for their email addresses.

3

Ukti-invest.com uses “firstname.lastname”, so we can now check if an email address belonging to Liya Lei exists. I checked the email address on verifyemailaddress.org and it clearly shows that while the domain exists, the email address we provided does not.

4

I also tried a couple variations, including different domains, such as gov.uk, as well as other naming patterns just to be sure.

Following these steps, I have pretty much proven that Liya Lei’s account is a total hoax. A very bad sock puppet set up to phish my phone number. A final note to whomever tried to fool me:

Dear Sir or Madam,

Next time try harder! There are plenty of guides out there on how to build a credible sock puppet. Your cheap attempt is actually quite insulting and did not even push my OSINT skills to a limit.

Yours sincerely

Matthias Wilson / 21.01.2018

How I Became Ted Mosby

Remember Ted Mosby from the sitcom How I Met Your Mother? This fictional TV character inspired a pretext for social engineering in an actual investigation.

Not all investigations can be conducted solely online. Sometimes, information that is discovered on the internet has to be verified in the real world. Many of these cases then require certain social engineering skills to obtain access to otherwise restricted areas. One of the most important aspects of social engineering is the pretext used to present oneself. This is more than just a quick and simple lie, it requires the creation of a complete identity to impersonate someone that will be able to gain the trust of whoever you are using it against. A large portion of the pretexting process is actually OSINT: Gathering the relevant information in order to appear credible.

A while back, I was working on a case in which I had to verify the location of a certain company and try to figure out if the company actually did business there or if this address was just used as a mailbox. Google Street View was not helpful, as in most cases in Germany, and a quick walk-by revealed the address was a large gated town villa. No information on the target company was visible on mailboxes at the gate. To be completely sure, I had to gain inside access and in this particular case, my customer asked for conclusive evidence of my findings. The challenge was finding a way inside that would enable me to snoop around and even take pictures. Further research revealed that the town villa also accommodated a law firm, an advertising firm and an investment management company. I initially thought of posing as a parcel courier to gain entrance and then use a hidden camera to document what I found. However, this pretext came with lots of downsides. I would require a uniform, have to deliver a fake parcel (which would surely strike attention as soon they opened it) and using hidden cameras has always proven tricky in the past when trying to get quality images.

I did a little more OSINT research and found out the estate itself was designed and built by a famous German architect. It was one of his early works. At the time, I was just watching some old episodes of How I Met Your Mother. In one of the episodes, the main character Ted Mosby was giving an architecture lecture as a professor, boring his students with architectural facts. That gave me the idea to pose as a young architecture professor preparing a course on the style of architecture the town villa was built in. Of course, I would also need pictures of the house to point out certain style elements of the villa. With this idea in mind, I spent the next couple hours doing research and preparing my pretext. I learned quite a bit about the German historicism architecture of the 19th century and of course about the famous architect himself.

villa

The next morning I approached my target. Rather than ringing a doorbell and trying to gain access through the intercom, I choose to linger around the house and initially take pictures from the outside during a period in which I assumed people would be entering the estate to commence work. I planned to approach the first person I saw, tell them my cover story and hope to gain full access to the estate without raising suspicion. After all, I was just there to take a couple of pictures of the building itself. At this point, luck was on my side. The first person I encountered turned out to be the owner of the villa, who was in fact a direct descendant of the famous German architect that had built the place. This gentleman was so excited that a young professor wanted to use his estate as an example in class, that he happily invited me inside and allowed me to take as many pictures as I wanted. I received a complete tour, inside and out. I was able to take pictures of mailboxes inside the villa, have a peak into the office spaces and he told me about the current tenants, as well as answering my questions.  During this phase, I used all the architectural terminology I had learned to keep my cover upright.

In the end, I did not find any direct trace of the company I was looking for, nor was any office space for rent or any tenant moving out. However, I did see and take pictures of the internal mailbox belonging to the investment management company. This mailbox listed around 15 additional company names. Subsequent research linked one of those companies to the CEO of my actual target company and this proved to be a starting point for a whole network of letterbox companies.

That is the story of how I became Theodore Evelyn ‘Ted’ Mosby for a day and of course I did not use that name for my character. When I was a child, I remember my grandmother complaining about how harmful TV was and that what I watched was useless in real life. This one time, I guess I proved her wrong.

(By the way: No need in geolocating the villa in picture, it’s not the one from the actual case. However, it does look very similar)

Matthias Wilson / 09.01.2019

Image: CC BY 2.0 @HaPe_Gera (image cropped)

The Golden Age of OSINT is over

Change is coming and it will greatly affect the way OSINT investigations are conducted in the future. Who knows, in a couple of years completely different skill sets might be needed to handle online investigations. Are we prepared?

In the OSINT community we constantly have to deal with changes. New tools and new platforms are always on the rise, just as old platforms and tools become obsolete in an instant. Staying updated is a continuous challenge, much more than just one person can handle. Luckily, most members of the OSINT community are willing to share any new discoveries, especially on Twitter. Therefore, following the hashtag #OSINT on Twitter, as well as numerous OSINT-related accounts, is the first and most important step when working in any area that requires OSINT skills.

There is always a lot of chatter on the future of OSINT and unlike many others, I do not think that Python is the future of OSINT. Does OSINT even have a future? Let us fast forward to the year 2022 and have a look at online investigations then.

roads ends2

January 2022:

Over the past years, more and more people have been made aware of their own data privacy and this has massively changed the way they use online services. What started with the release of the ‘Snowden documents’ in 2013 and continued with massive data breaches, such as the Cambridge Analytica case made public in 2018, has led to the desire to share less information publicly. This development basically made Facebook obsolete and new platforms have arisen in its place. Although Facebook still exists, the data it contains only has historic value and cannot be used for current investigations, much like Google+ or MySpace a couple of years back. Even though Facebook tried to turn the tide by changing privacy settings, the damage done by many the data breaches was too much to convince users to maintain a presence on the platform. Nowadays, social media is more anonymous than before, modern platforms do not require or request real names and information shared is not automatically distributed publicly. For OSINT investigations, this means that a real name might not provide a starting point to search for someone online. The main starting point is now an obscured username, which is hopefully unique enough to be used in investigations. How can we identify a username, if we just have a real name to start with?

In modern social media this is almost impossible. Unlike the old Facebook, which gave us a display name and an account name (mostly based on the real name), today’s social media does not reveal the real name. So, either you know the username to start with or you are pretty much screwed. Of course, another possibility is searching ‘historic’ sites that have linked usernames to real names, such as Facebook or maybe even Twitter. There are also commercial databases and people search engines that offer these services for a small fee. However, if someone was OPSEC-savvy before 2019, he or she most likely will not be found online easily in 2022. Even with a unique username, the information that can be obtained from social networks is marginal, since everyone is well aware of their own data privacy. If you are not a part of your targets network, you will not see anything. No updates, no pictures. Even likes and other forms of indirect communication between accounts will not be publicly disclosed. This rendered many of the Python tools developed over the past years obsolete, as the data that can be scraped is mostly useless.

With that said, how does OSINT look today? In general, we have shifted from the passive gathering of information to more active means of collecting data. I call it virtual HUMINT (VUMINT). The objective of VUMINT is to infiltrate target networks during investigations in order to see information that is not openly available and possibly even interact with the target on a ‘personal’ level. Whereas sock puppets in 2019 where mainly used to gain access to social networks in general, sock pockets nowadays are needed to gain access to specific profiles of our targets and their closed networks. Now, more than ever, it is important to have lifelike and tailor-made sock puppets to achieve this objective. A blog post from 2019 is still useful and gives a good description of sock puppets and how they should be setup: The OSINT Puppeteer. Building a sock puppet for a specific account is not something that is done in a short period time, so receiving results through VUMINT takes much longer than information gathering through passive OSINT. Naturally, there is no guarantee that a target will add you to his or her network, no matter how good the sock puppet is. This means you might invest a lot of time in the creation of a sock puppet without achieving any notable results. In certain ways, it is very similar to a target-centric phishing campaign.

Another challenge in modern OSINT is the vast dissemination of unverified or untrue information on the internet. Everyone can post everything online in an instant and everyone wants to have news in a heartbeat, making it harder for press and media to thoroughly research events before releasing information. Media and press institutes that fact-check and verify first are losing the battle against quick-releasing competitors. The customer’s demand for instant information over reliable information has flooded the internet with rumors and ‘fake news’. During investigations, more and more time is spent conducting OSINT research on the credibility of data found on specific targets. Finding the original source of the information, the so-called Patient Zero, assessing its trustworthiness and then determining how and if the information can be used in our investigations. Today, it is not the actual collection of open source data that is the key, but the actual evaluation of this material.

One thing that has not changed, is the fact that the global corporations behind online platforms, and thus intelligence services, still have the possibility to use all the personal data on users however they desire. While OSINT collection and intelligence has become more challenging for everyone outside of these corporations and intelligence services, it is easier than ever for them to make use of personal data. Whether it is tailor-made advertising or extensive profiling through intelligence services, our data and of course ourselves are now more transparent than ever. There is no hiding from global corporations or intelligence services anymore if we want to use online services. Luckily (or unfortunately), the personal data is not sold or leaked as much as it was a couple years ago, limiting the benefit of commercial databases.

In 2022, the Golden Age of OSINT in investigations is over. The trends that started around 2015, e.g. automating OSINT, do not work anymore. Instead of learning how to code, maybe we should focus on social engineering a bit more. A good OSINT investigator in 2022, first and foremost, needs to be a good intelligence analyst and have some strong Human Intelligence skills.

Thank goodness it’s still 2019!

Matthias Wilson / 04.01.2019

Vlog Post: Swipe right for OSINT

Tinder is not only great to meet other people, but also for OSINT. Finding matches can provide starting points for social engineering and further OSINT research.

You want to identify soldiers on a specific, isolated miltiary base? Or find employees of a large company for a social engineering approach? Or maybe just check if someone you know is using Tinder?

Try setting up a fake Tinder account and spoofing the GPS on your phone to the location you expect your target to be. Alternatively you can also use an Android emulator, such as Bluestacks, on your computer.

Matthias Wilson / 23.11.2018

Vlog Post: OSINT – A Starting Point for other Intelligence Gathering Disciplines

After playing around a bit with different video production platforms, I think we finally found something that suits our needs. In the future we will try to produce short and informative videos for the tl;dr fraction. Warning: These might contain humor and sarcasm!

This is a first try, feel free to comment and provide feedback.

Matthias Wilson / 25.10.2018