Case Study: Social Media OSINT

September 21, 2016
#intel gathering #Beginner #security #offense #OSINT #Social Media #Facebook #pentesting #penetration testing #case study |
| | Share on Google+

Here we'll get a basic overview for OSINT and snooping information from someone's social media (Facebook) account. These main principles apply pretty uniformly across the various social media sites and those more technically inclined may want to look at the various site API's to try automating OSINT as much as possible. Despite briefly mentioning some automation later, however, that's a bit beyond the scope of this post; for instance you can download nearly every tweet someone has posted using Twitter's API or have advanced search capabilities with their new Tweetdeck feature.

Finding their accounts

The first thing you want to do is find their pages/accounts so try looking for their name, location, and known handles/display names from other forums and websites. You can use the native Facebook search or google operators, simple example:

[name] [location] site:facebook.com 
[name] "[college]" [sport team name/event name]

Another thing to look out for is how the sites create the profile link and try typing in their name as if you already know the URL. Try this across as many sites as you can to establish patterns and baseline behavior (twitter, youtube, linkedin, instagram, pinterest, journals/blogs, hobby/niche forums and messaging apps etc).

Examples:


"static" user handle:


"ttas" first initial + last name



We can look for other accounts using just their handle/display name but we can also add reverse image searches of profile pictures to find their other accounts; try flipping or otherwise manipulating images as this is often used to avoid being found by reverse-image searches. You can even target certain objects in pictures "automagically" using sites like imagga as this interesting tutorial explains.

Many people will use simple obfuscation techniques such as shortening a name (Nicole becomes Cole), only using first and middle name (Cole Ann), swapping the first few letters of each name (Travis Butler becomes Bravis Tutler etc), or using a nickname/handle. Example:


"ttas" has a nickname handle on twitter but uses shortened first name + last for display name.


"ttas" also uses their full, more formal name on linkedin (which is a moderately common trend)


Often enough people also make mistakes or forget to cover up trails/change settings (espeically those that aren't automatic) such as our Cole Ann example; her Facebook profile URL is her full name despite trying to "hide" by shortening her first and using her middle instead of last name. Valiant effort though...



Profiling, Honeypots, and Spam Probes

Profiling can help us get an idea of the person so after data mining you want to corroborate all of this information across the various handles, sites, and accounts you found. This helps ensure that we're both talking about the same person and that our information is [seemingly] reliable. Some places to look on Facebook that can give great insights are:

  • checkins/places visited
  • pages/movies/tv/books liked
  • details/quotes section
  • education information (college + high school),
  • family and relationship information (names of prior SO's and pets etc)
  • work history
  • shared links and commentary
  • life events section (important dates)
  • writing style
  • things from intel gathering posts like SES, style, education level, introversion vs extroversion etc.

This is also a fantastic place to gather keywords for building password dictionary attacks since many people will use pet names or important phrases, dates, and people from their lives. "Ttas" for example had multiple past cities and states to help use people search engines better, multiple check-in spots to visit for "chance elicitation" encounters, major life events are chronicled (DJ'd for a bit), he has sports teams and motivational posts (NE Patriots), family information (2 brothers, 2 cousins, maybe 1 married), detailed romantic history, and gives us an idea for dress and humor style from pictures and video... the list goes on. The only thing I didn't have much luck with was quotes.

If you know their hobbies and interests you can find sites they frequent to attempt a "honeypot" to snag information from them as seen in this reddit post asking for high school/college mascots and my comment sarcastically asking for credit card information. Knowing school mascots alone gives us 2/3 common security questions which may be enough to get a CSR to reset the password and update the email on the account. This abuse of security questions is often a compromise between self-service convenience and account security - below are a few decent links that will help get you familiar with various reset questions. You can always write down questions used by the websites you visit as well.

*Links: (1), (2), (3)

These snapshots into the person's life, even when short, can be incredibly useful. "Thin slice" judgements like this have even been shown to be accurate about 70% of the time. Our ttas example had posts that showed strong signs for extroversion, an "upbeat" or positive outlook, and sarcastic humor but keep in mind that people tend to "curate" their content to an extent. This means that we're often only seeing a "highlight reel" of sorts or at least only seeing the parts people want us to see which can create some bias in our research. The highlight reel effect has even been documented and studied with a good deal of success. You'll have to do some digging and look at comments from friends or the "feel" from other recent posts to get a better handle on the situation. Simple example:

Someone spamming motivational posts may seem upbeat until you read encouraging comments from friends about staying strong and fighting off their depression.

Speaking of spam... email spam isn't only a problem because it's annoying and often riddled with malware but because it can be used to probe for information. If you can't find the corporate email structure using a site like data.com then create a throwaway email account to try emailing a few people (whose names you do know) from within that company. I've listed a few commonly used email formats below with "Bravis Tutler" as our target:

btutler@xyzcorp.com
bravist@xyzcorp.com
bravis@xyzcorp.com
btut583@xyzcorp.com

The idea is to send a few of these emails out and wait for a "bounceback" notice saying it couldn't be delivered. No bounceback means the address is real but just because you get a few hits doesn't mean everyone in the company uses the same format; often enough people will use "legacy" accounts created before the policy change while CEOs, owners, and other VIPs may have their own "special snowflake" account name.

Impersonation

Impersonating a friend of theirs, a recruiter in their line of work, or just a person with similar connections can also be surprisingly effective. Ideally you'll want to pick networks that you have gathered some intel on already but so long as you build up some goodwill or social proof by having shared contacts and are a bit "ambiguous" when talking to them you might find that this is easier than you'd first expect. Here's a simple "script" example that may better illustrate the point:

"Hey - I think we met once at W place with X and Y. You're hard to forget or seem like a fun/interesting person due to Z."

You want to mold this simple example off the intel gathering you've already done and what is available to you. If you found a post mentioning their opinion of a professor they had then do some research on a site like rate my professor and maybe use that as an initial conversation topic. Similarly some schools have well known "party weeks" and memory can be a bit hazy when having so much fun.

Memory isn't only hazy when having fun though; time and time again memory has been shown to be pretty unreliable and with a bit of cold reading and strategic ambiguity (as explained by both Scott Adams and the Cato Institute) you can more than likely create some false memories. As the "confessions of a linkedin impostor" link from above reveals it can even result in people asking how you've been since you "left the company". Dunbar's number may help explain this phenomenon as it claims people can only reliably keep track of about ~150 stable relationships at a time. CRM solutions and other tricks used by sales people to remember names, family members, and interests of clients seem to support this conclusion as well.

Many people follow a "network with as many people as possible" heuristic and may not even consider your intentions over their own self-interest; there's even a specific tag on LinkedIn made for this purpose (lion aka linkedin open networking)!

Happy hunting.

September 21, 2016
#intel gathering #Beginner #security #offense #OSINT #Social Media #Facebook #pentesting #penetration testing #case study |
| | Share on Google+