OSINT Archives - Social Engineering Blogs

Soooo…. You’ve been on Facebook a while and you’ve set your privacy settings to whatever new super-secret stealthy hidden mode setting Facebook has. You probably also feel like none of your 400+ friends would ever tell anyone what you post. You look at articles about people posting things they shouldn’t going viral and you think “I’m so glad that’s not me. I would never do something like that.” I destroy that myth everyday at my job. In real life, I investigate leads in criminal cases which can aid my clients. A favorite place I go for these leads is social media.When I tell people I go to Facebook for leads, the first thing they like to say is “Well, you’re not going to find anything on me like that.” I’m polite so I smile and tell them “Probably not.” Of course, I’m lying. If I’ve told you that, this is where you’re probably feeling a little uneasy. Let’s be clear, if I don’t have an interest in finding something, I probably won’t find it. That’s not to say I can’t because I assure you I can.So, let’s breakdown how I might do a social media query. I won’t bore you with site specifics but I will address some things that are common throughout the social media investigations landscape. This is not to scare you. I am merely trying to inform you so you understand exactly what information you voluntarily give away.Disclaimer: For the experts: This in not all-inclusive and I’m aware of the many advances in social media investigations. This is mainly informative for those who may not know and to spark some discussion. All others: Please check whatever jurisdiction for whatever legalities may exist for you.The best way to illustrate this topic is to assume you’ll be doing a search yourself. If you don’t mind being spooked, try this on yourself assuming you’re a complete stranger who’s only been given the task of obtaining whatever information exists on you in social media. I recommend creating your own “blank” account that you have no affiliation with to get started. When we get to associates, feel free to pretend and assume the worse about people on your friends list you haven’t seen or spoken to in some time. Start with a subject. Having a name (preferably a first and last name is good). I’ve done this with neither. More on that later.Put the name in the search box of the social media site you’re searching. This fruitful if you’re seeing if someone is on the site or if the profile is possibly “hidden” from searches. The latter requires for you to know the subject is actually on the site. While doing this, play around with nicknames or aliases. A personal favorite of mine are email addresses. I also use their most used username if I know it. I have also looked up last names only just to see if someone posts things to a relative’s profile.When searching Google, try to place quotations marks at the beginning and end of your subject’s name. Also, type in site:whatever-the-social-media-site-you-think-they-are-on.com/net/org/edu/gov. Novice searchers give up because the results are too many. This narrows it down quite a bit.Despite what you think, no name is too common for a determined investigator. There are other things than our names that differentiate us. For example, your name is “John Smith”. That’s too common of a name for some investigators. But what happens when I search for “John Smith” in Dayton, OH who is a police officer married to a woman named Ebony? If you’re the target, you’re not as anonymous as you thought.Search them by username and old phone numbers. Sometimes, this is all you have to go on. Do it. That username may be their most commonly used one for everything. This could lead to old social media profiles (a time machine treasure trove of forgotten pics, lifetime issues and events, contacts, etc.), photo-sharing sites they frequent, articles they bookmark (Pinterest), comments they’ve made on other sites (Youtube can be great for this stuff), and sites they don’t want anyone to know they frequent. Getting the username can be tricky. If I have a confirmed profile for them, I’ll take the username that is in the profile’s URL and then perform an “exact phrase” search on Google.I like to try the phone numbers search quite a bit. I’m not looking for an address neccessarily if it’s a social media investigation. Some profiles are only searchable with a phone number. Also people post their numbers on sites that don’t value privacy. For example, you run a shop that sells auto parts. As such, you belonged to a parts forum online. There you posted your number to get orders under a username I never knew existed. Not only do I have historical data on you possibly but I may also get a look at your posts there as well whatever I can dig up on this old username.If none of this proves fruitful, try a Google Image search. You may not be aware of this but Google now allows you to search by image. That means, I don’t need your name to find you on the Internet. Sometimes, I find people use the same photo for most sites they frequent. Perhaps, you’ll find a site with a picture you have and can dig up useful information such as other pictures, other usernames, and most importantly, associates.Associates are where the money is. Seriously, most people assume, wrongly, their Facebook friends feel the same way they do about things or they feel some impunity with what they post to their audience. In some cases, this may be true. However, I can guarantee it probably is not. Finding associates can be tricky if you don’t know much about your subject. Hopefully, Google will help you out here. If not, I recommend spending the $19.95 to use people-search sites like Intelius or Spokeo. This should give you a list of names of people who either know your subject or lived in the same area as him. Also, try Classmates.com. Someone went to high school with your subject and I bet you they’re still on their Facebook friend’s list. Another feature of some site’s search engines is the suggest friend’s list. If you’re friends with their friends, social media sites like to let you know and ask if you want to be your subject’s friend. Of course, you don’t. But this provides with that profile you’ve been looking for or at least one of them.Old friendships are tricky. We think the people who have known us the longest have our best interests at heart. Let me assure, some of them don’t. Most people trust these folks with lots of personal information, when they go on a tirade or a rant. The simple truth is if someone has it in for you, they can voluntarily give anyone access to whatever you share with them online.This young lady thought she was being “funny” outside of Arlington. Several of her “friends” didn’t think so. Be careful what you “like”. People wrongly assume the pages they like or the comments they reply to on someone else’s page is somehow protected. Yeah, that is totally wrong. It is protected ONLY if they have set themselves up with the strictest privacy settings. Many times, a person’s “likes” can reveal about themselves even if an investigator can’t see anything else. A great example are Facebook Groups which advocate violence or are sexually explicit. Unfortunately, people forget to hide what pages they “like” and it suddenly has some bearing on something they never imagined it would.Search for a name in a foreign language. I see you laughing but I once had someone hide their profile by using another language to hide their name. It’s a great idea but as I ran out of options, I went to Google Translate and entered the subject’s name from English to Korean. Suddenly, her profile appeared.Search their friends’ friends list. Some people hide in plain sight. You may be searching for the right subject but entered the wrong letter. A friend’s friends list will probably have the name as something else.Search EVERY PHOTO, LOCATION TAG, EVENT SIGN-IN, etc. Sometimes, the information we seek is in places we dismiss as being “dry”. Look through EVERYTHING. Trust me. This alone can give you more associates, state of mind of your subject, places they’ve been or frequent, events they’ve been or locations they can be expected to be at, and all the drama that comes with social media picture posting.When you’ve found what you’re looking for, archive it. This sounds easier than you think. Grab your smartphone and take a picture of your screen where the information is. People trust screenshots more than they do a link they can click.Do this exercise on yourself and assume your current or future employer, spouse, child custody judge, friends, family, and others are doing the same. Those who get their 15 minutes of fame from poor Facebook posts never seem to think they’d get turned in by their “friends”. Also, here’s a tidbit – if you’re posting information you shouldn’t, never exclaim “I don’t care who sees this.” I GUARANTEE you will.*Some places I like to go to search for social media investigation querieswww.spokeo.comwww.pipl.comwww.linkedin.comwww.facebook.comwww.twitter.comwww.google.comimages.google.comwww.whitepages.comwww.intelius.comwww.blackbookonline.infowww.topsy.com *You’re not getting all of my trade secrets

Happy Easter everyone, I have some spare time so I thought I would put fingers to keyboard and put a blog post out I have had on my mind for the last month. Even though I plan to post every month, life with a little one and busy at work does get in the way, and I really don’t want to post something just for the sake of it. I always want to share information that is relevant and will be of value.

So with that in mind I wanted to talk about phishing, and how important it is to select the right bait.

So as a social engineer there are going to be many times when phishing is going to be the best approach to get your gig off to a good start. Phishing is a low risk approach, but the rewards can be very high.

The important thing to say at this point is I am talking about phishes that have a higher percentage chance of success, this might sound obvious but all phishes are not created equal. APT, Hacktivists and those just out to make a buck play the percentages, they send a large amount of email out, and the quality isnt always that great (You have seen them, you can spot them a mile off). Of course this is different to spear phishing, where things are more targeted and frankly they do a better job when it comes to the content of the phish. The reason I mention this is, if this is what your customer wants (they probably know the answer, and it might not help them in reality, or you for that matter) simulate it appropriately, but depending on your targets it could be hit and miss.

So how do you do it right? Like most things in social engineering do your homework. OSINT plays a big part here, what are your targets doing online, are there common interests, shared groups and themes around their activities. What types of language and communication is their employer using to communicate, what campaigns are running, what would be expected?? When I talk about language I mean both the actual language (many people involved in SE have to deal with people outside of the English speaking world), this doesn’t mean that you cant use English, your homework will tell you this, but regardless you are looking for the phrases, buzzwords, key names and meanings that will imply legitimacy.

Legitimacy is important, and will often force you to use languages and subjects that don’t shout spam and phishing email, but this is something important to consider also. What inbound controls are you facing, how will your email be graded, what tests can you do, how can you verify delivery of phish? These are all components you will need to be considering if you are truly simulating your customers external threat.

So lets assume legitimacy has played its part, your phish has arrived in the targets inbox, and they think it looks legit. So what is it that is going to make them open your attachment, or click that link? Influence that’s what. You may remember some time ago I wrote about the 6 rules of influence, well this approach will help you in your phishing attack. Perhaps they will click your link as they will gain access to something difficult to get hold of (scarcity), perhaps its a direction from the top and must be followed (authority), or perhaps its as simple as the chance of winning something, I mean who doesn’t want to get there hands on a sexy iPad 3.

Right so your target is all about the clicky clicky, you have succeed? Erm possibly not This is where playing the odds comes in handy. To get to this stage you have already had a few levels of phishing success, the mail made it pass all the ingress checking and arrived in the inbox, the subject was appropriate enough that your target opened and read the email, now they are clicking the link or opening the attachment. This is success, but I imagine in most cases now you want shells

Of course you do, who doesn’t. Of course if this works you can do the happy dance, but if it doesn’t you will be pulling out your initialed hanky and weeping like a baby. Why didn’t it work? Perhaps your payload wasn’t built properly, perhaps you set the handler up wrong, perhaps your system crashed, who knows, but you had all your eggs in that one basket. This is why you should play the odds with your phish, have multiple out, this leads to success at some level.

Playing the odds in my mind means the following. First of all I always try and include some form of credential harvesting component (Its a common winner in my experience), I also tend to employ the joys of a BeEF hook. I think BeEF has alot to offer in the future so now is a good time to build it into your approach (you can grab systems info, launch iFrames, keylogging and all sorts). Its also a good idea to consult your Apache logs to see whats being give away. If you do a sample wave of phishing you can use this as recon (I tend to use what I consider low value targets here) and find out browser types, plugins running, java versions etc, all important information for phishing. Include some browser exploits based on what your recon has informed you about, if you can do it transparently great, but if you need to pop up a windows or dialog box (ala Java Exploit) then make sure its believable.

This isnt an exclusive list by any means, and I appreciate I have not gone into huge detail (perhaps I will give a talk on it) but I really think you will see an increase if your success, and as a result increase the value of the service you provide to your customer. Oh and don’t forget, if its appropriate a little phone call could help in the legitimacy stakes and get that clicking going on

So as always I hope this was of some interest, and of some help. I welcome all questions and feedback, and if you liked it please feel free to share with others. Until next time, take care.