Guerrilla Intel Gathering

June 23, 2016
#Social Engineering #Manipulation #Persuasion #intel gathering #people watching #perception training |
| | Share on Google+

Please read the other posts in this series first.


Data is king these days so let's talk more about intel gathering (aka OSINT) to really round out your ability to portray new identities and get a better idea of people's inner story. I'd suggest collecting this data and "visualizing" it to really highlight coincidence vs common traits (especially for group heuristics) - whatever method works best for you.

Advanced people watching

As briefly mentioned in the prior post people watching is a great way to do some basic intel gathering but you need to pay close attention to the fine details; a laborer who shows up to a job site at 1pm in new/clean clothing with smooth hands can draw unwanted concern/suspicion. This looks inherently suspect and, although it's not impossible to talk out of, generally speaking the less "road bumps" the better.

Once you've mastered picking up traits of one person/type of person you can move on to trying to recognize and recall these traits among multiple people or settings. One way to do this is a simple "awareness" game where you give yourself goals for the trip - this is best played with 2+ people where you ask each other questions (ex: what necklace did the lady in red dress have on?) but you can substitute the second person for taking notes/photos and comparing to your memory.


Ex 1:

Remember entrance and exit details of buildings (number, location, foot traffic), guard patrols, camera placements, "secure" areas, infrastructure points (alarms, electrical boxes, network access ports/routers etc) and highly congested areas in the stores. Practice "lingering" by pretending to be conflicted about a purchase, talking on phone, or waiting for someone; also try taking pictures in concealed/inconspicuous ways.


Ex 2:

Try to examine groups of people (start small, say 2-5); try finding the "hierarchy", what status ques/symbols they use, group norms and taboos, try to pick out the "alpha and beta", and find any common traits for heuristics (in addition to things listed in the last post). Even do "case studies" where you follow the same group around etc.


This can be extrapolated to getting familiar with the various industries/companies you want to exploit by working in them even if only briefly or in limited capacities; you can likely get information by asking former employees online/in person about their experience via elicitation or straight from the company website/blog/facebook itself as well. Elicitation dates back to Sun Tzu and was most recently made popular by a Nazi interrogator named Hans Sharff. It can be tricky but the general idea is to start a "normal" conversation and avoid asking direct questions. People are primed to desire sharing and feeling useful/validated so simply being interested in them is often enough to keep them talking; you can slowly guide the conversation from there.

Some of the best people to "get cozy with", bug their machine/phone, or phish etc are HR representatives and secretaries. Not only is this group typically bad with technology they are also massive information hubs. HR has access to information about people that even IT may not have and secretaries are often the gossip mills/information hubs of the office. Many personal secretaries run most of their C-level or VIP's life and may even have all their passwords/account information as well.

Some security experts, for example, will work in either programming or system/network admin for a while so they have an intimate understanding of the "best practices" and most common traits, problems, gear, approaches/schools of thought, and vendors between companies. You want to focus primarily on culture/feel, any information on business processes/best practices, jargon/lingo and things of that nature. Simply knowing "insider" jargon, lingo, and procedures from a company, industry, or other group/hobby can be enough to persuade someone in a split-second decision.


Ex 1: Company calls their "IT" department ITB (Information Technology Branch) and you're phishing for passwords.

"Hey it's Steve from ITB - going to be doing some after hours work on your machine. What's your username and password?"


Ex 2: talking to a dirtbike/ATV enthusiast who is the hiring manager for a job you want.

"[After listening to his story] I miss my 350 Banshee - used to do amateur racing. It took me a while to get used to popping the clutch for the holeshot and mixing oil properly for the 2 stroke but that was the hardest part. Kicked me on my ass once or twice but fell in love once I got it down."


Ex 3: Pretending to be an army vet

"Saw all kinds of crazy shit in army 11b though only made it to pfc (E3). Almost got run over while sleeping when another unit drove through our perimeter. Almost got landed on by a Blackhawk helicopter on the LZ. Sat directly on top of an IED for about 15 mins then our convoy moved a bit and it ended up killing a close friend of mine. A mortar landed about 25 feet away from me - somehow I was absolutely fine but pissed because it took out the ac unit to our building."


Perception Training

It may sound basic (and it is) but good perception and peripheral vision skills can really come in handy. I've gotten people's passwords, email addresses, skimmed benefit/salary package and sensitive corporate information just from looking in my peripherals. On my last trip I got the names and emails of an entire executive team of managers (sat next to the CFO), got an idea of his writing style, took a picture of his signature to reproduce later (disguised as an "out the window shot"), and got detailed insider information about the company from a lengthy email he was drafting. If I was more nefarious this is a goldmine for targeted phishing... say for a wire fraud scam?

Try expanding your peripheral vision and the attention you give it as much as possible. I discovered one good way to do this completely accidentally thanks to a roommate; he used to constantly change out one object in our house with another and it nearly drove me mad because every day/week/month I'd have something new and strange in the corner of my peripheral vision which would cause an "alarming, defensive" reaction. This will work best if you have a friend, family member, or roommate who can help "surprise you" by changing something but you can likely do it to yourself. This can change daily, weekly, monthly, randomly.. mix it up.

Another good method is what I call "peripheral markers" which is where you tie an object in your peripheral vision with an event that happens at a certain point along your vision path. You want to pick objects that are least likely to change in the background since they will have the highest reliability; I wouldn't rely on them completely since the environment can change but they are definitely useful and great for training.


Ex 1:

My old kitchen had a perfect hiding spot for boxes of food between the toaster oven and sink area - this spot happened to coincide with the start of the first step heading down and out of the house. I knew that step was coming once I saw the box of food in the very far corner of my peripheral vision.


Ex 2:

On an old drive to work I often took a dirt road shortcut. Every few months it got some potholes and I tied the start of one nasty bunch to a telephone pole that gets about 50% through my peripheral vision. Once I started seeing that pole I know to prepare then once it gets to 50% of the view I cut left to avoid them.


Ex 3:

When walking around stores I try tying ends of isles or other "markers" to camera locations in my vision path.


Abusing the Information Age

The "information age" has seen tons of data released into the public domain. Companies like Data.com sell/trade company contact info, "people search engines" like Spokeo can have vast amounts of publicly scraped data (sometimes outdated or incorrect), Glassdoor has corporate reviews that can reveal good information about company culture/process/internal problems, public social media such as twitter/facebook/linkedIn/reddit is a treasure trove (especially if you act as an impostor), there are often searchable public records such as PACER, there are occasionally independently run "snoop sites" like SnoopSnoo, text analysis like IBM's Watson, reverse image/font search engines, and even Google search operators can be incredibly helpful in making this process a quick one. OSINT Framework has an incredible list of the various places to look.

I once tracked down a reddit user who foolishly used the same account name on multiple sites and found his close family/friends, their phone/contact info (granted it was slightly old), and their addresses all from about 3 minutes of Googling and using these free services. Being fair though this person was practically begging for it to happen and I let them know the severity of the situation via PM.

Some edited pictures below - the process went Google Reddit username (he used his first initial + last name) -> Twitter (got his location, has since changed to "Undisclosed NC" which is better but...) -> Spokeo -> Found.





One step further - become a "professional"

You could setup a business gmail or just buy a cheap domain and email combination to try looking more "legitimate" in sales/phishing endeavors. You may even be able to SE some of these data brokers into dealing with you just by having a legitimate looking email address; could also try incorporating yourself into a LLC (or your countries equivalent) or look into local Private Investigator requirements. Either way being a "business" rather than an "average joe consumer" opens many doors for background checks using products like idicore or LexisNexis. Sure, there might be licensing fees and maybe even standards such as "you need to have X clients/cases per year" or X years experience etc but you can always have friends/family make "bogus" requests where you get the money back and just pay tax on the transaction.

Write if off as the cost of doing business.

Next post

June 23, 2016
#Social Engineering #Manipulation #Persuasion #intel gathering #people watching #perception training |
| | Share on Google+