Speaking around the world about social engineering one question comes up almost every time.
Why is social engineering so successful?
A key success factor in a targeted attack is good research, knowing the target and how to manipulate them.
I have been gathering and analysing intelligence on people, places and companies for many years now. It is something that feels ingrained in my DNA. You don’t need NSA level access to get a wealth of information on someone these days. You just need social media and an inquisitive side to your personality.
This story is a walk-through of a profile I recently built up of an ordinary UK citizen who thought she was on top of her social media. She was very surprised at how big and how detailed her online footprint was. The message is simple; Do you know what is out there about you?
Recently at a conference I got chatting to a guest who worked in fashion retail. Let’s call her Simone for the purposes of this story. She proclaimed that she was very security conscious with her online persona and had in fact won an award at a corporate getaway for
"Employee least likely to be hacked”.
This definitely sounded like a challenge, and she was soon "persuaded" to ask me to build an intelligence profile on her. I accepted immediately! I was confident that we would get a lot more information on her than she thought possible. Here is the story.
All I knew about Simone Rogers was the name of the company she worked for, the rough area of the country she lived in and her face, having met her in person. We haven’t got time to cover everything we found and how we found it in this article but here are a few highlights.
Social media is a rich source of data on people and a convenient catalogue of their life. Knowing the company she works for, the obvious place to start is LinkedIn.
I find the company’s page and then do an advanced search for Simone. 30 seconds later I have her profile in front of me. From a social engineering standpoint, LinkedIn rarely has the properly juicy stuff about a person’s life. We all pretend we are the most polished and poised versions of ourselves on this professional networking site. However, I can see that she started as an assistant store manager 6 years ago and has climbed the ranks fairly fast. Well done Simone!
On her LinkedIn I note that she has shared a tweet about London Fashion Week. We now have her Twitter handle too. Two social networks down two to go.
Mr and Mrs Chatterbox
When you are gathering intelligence on a target, I always say you are really hunting for Mr or Mrs Chatterbox. Everyone has a Chatterbox in their network, it is the person who posts a lot and talks a lot. The chatterbox helps OSINT gathering by showing us connections and clarifying relationships between people. Is that a friend or a work colleague? The Chatterbox knows! Could that be a photo of their new home? The Chatterbox will be on hand to clear up any confusion. You are probably reading this and picturing your own Chatterbox now. We all have one, I know I do.
A friend called Beth appears in many of the tweets found on Simone’s account. A quick diversion onto Beth’s Twitter account shows lots of Instagram photos that have been shared on Twitter. Still tagged, they reveal the Instagram accounts for Simone and Beth. We have our Chatterbox.
I is for intelligence…. and Instagram
Instagram is actually great for intelligence gathering. People place hashtags on all their photos telling you the content or subject of those photos so I don’t have to scroll through them all. It makes intelligence gathering much faster. Both Simone and Beth’s Instagram accounts are open. Simone has 1,200 posts and Beth comes in with an impressive 4,270! From a quick scan I quickly find Simone's partner Darren tagged in the many photos Simone has uploaded. There are several photos of them showing off a big ring and holding hands whilst dancing through a field at sunset. The usual! They clearly got engaged in January.
Okay so we have the name of her best friend, her partner and we have her Twitter, LinkedIn and Instagram accounts discovered.
Enhance. Stop. Registration plate.
Further down the Instagram feed there is a photo of Simone standing outside her house. We know it’s hers because she’s tagged it; “My new front door looks great!”. You can’t see the house number, but you can see the front window. Most people would probably gloss over this photo as being devoid of any value. I download the image and play around with the curves and levels. I manage to enhance it just enough to see more detail in the reflection in the window, but it lacks detail. I can, however, see the faint reflection of a number plate in the glass. I run it through the vehicle licensing authority website and get the information back on the make and colour of the car. It's a blue Volvo. Probably the same V40 that appears in other images. It's not definitely hers but another useful piece in the jigsaw.
Happy Birthday to you… thanks for clearing that up
Dates of birth are usually really simple to discover. Taking and uploading appropriately tagged birthday photos is a social media staple, and other connections’ comments add credibility to the evidence. Luckily Simone’s chatterbox, Beth, has proudly made what looks like an amazing cake (that would certainly fast track you into diabetes) for her birthday. It has 30 written in red icing. This photo is dated 2014 which means Simone was 30 in 2014. So she is 34 now. Date of birth obtained.
Time to see what juicy treats Facebook has to offer us.
Facebook is a great platform for intelligence gathering which probably makes it terrible for our privacy. All sorts of information gets placed on the currently controversial platform. I have run many workshops on how to gather intelligence properly from Facebook and why you shouldn’t use the Facebook search bar at all in your hunt for information. It is beyond the scope of the article to cover how you do this though
Simone's Facebook has been locked down, only her friends are visible. I search for Darren, her fiancé. Like her, his profile is now fairly locked down, but we find a number of past posts that haven’t had the current privacy settings applied to help us build a picture of Darren. [search for “Limit Past Posts” in FB settings to change this]. We can see a post from 2015 that says “1yr anniversary” so we can guess that they have been together for around 3 years. We can also see Darren stood holding an award next to 2 BMWs both with an Estate Agents logo on the side. Googling the company, we see that his headshot is on their “Meet the Team” Page. So we know Darren is an estate agent, and where he works.
There are lots of ways to get someone’s email address, from website searches and software plugins to APIs and custom Google searches. As I was already in Twitter, I used its leaky “Forgot password?” reset functionality to narrow the search. Knowing Simone’s Twitter handle, I start the login procedure and click “forgot password”. This brings me to a page to reset the password. As you can see from the images below, Twitter hides the bulk of the email with asterisks. However, given the email address and the fact that we know her name is Simone Rogers do you think you can guess the email address!?! S.****** @g****.*** Thanks Twitter.
Now we run that email address through another clever piece of software known as a scraper. This scraper goes out and trawls the internet for each and every occurrence of that email address. It comes back with all the social media accounts that we already found for Simone (but this validates we have the correct email address) and also a lot of forums that she seems to be a part of.
Where do you live Simone?
I am coming up blank on her social media platforms when it comes to her home address. I have a few photos of her outside her newly purchased house but as the door number is hidden, I have no clue where this house is. I do know the town she lives in, so I run her name through the phone directory. Nothing found. Switching over to her fiancé, Darren, we get a likely postcode. Interestingly BT also give you the option next to your search result to “send flowers”. That may be too creepy.
Onto Google Street View to help verify it is their address. I know the appearance of the house from Simone's photos so now I just scroll up and down the road until I find a match. Looks like a nice property. A quick search of Zoopla and I discover she got a good price for it too, along with reasonable mortgage repayments and a clear £30k increase in value since she bought it a few years ago. "Housing prices are ridiculous" I mutter to myself.
I do a search for the address I have on the Land Registry website and the title register confirms this is their house. Address obtained and verified.
Amazon- Tell me what you wished for
Something that many people are unaware of is that Amazon Wish Lists are public and fully searchable by default. What this means is that unless you have deliberately changed your Wish List to “private” I can search for it and view it in full. So yes, that Donald Trump autobiography you have on your Wish List is discoverable!
Amazon makes the process quick and painless. Simone is actually the first search result. Her Wish List contains some books by Misha Glenny, clothes, a LOT of stationary, some funny novelty gifts clearly earmarked for Christmas, an iPhone 8 protector case (so we now know the make of her phone too) and a book entitled “planning the perfect wedding on a shoestring”. Thanks to Amazon we understand her a little bit better.
So, all in all another successful foray onto the worldwide web. We got a lot more information on Simone than is laid out here.
- Name, DOB, Job
- Husband’s name, DOB, job and company, duration of relationship and date of engagement
- Car make, model, and number plate
- Home address including date and price it was purchased for
- Email address, make and model of phone
- All of her social media accounts
- Political views and career aspirations
- Amazon Wish List details
- School and university dates
So, we have this information, So what?
One comment I hear my friends make when I tell them the dangers of this information being available is that “I have nothing to hide”. You may well have no big dirty secret, I certainly don’t, but that also doesn’t mean I want people knowing everything about me and my life. I value my privacy and the sad fact is that social media erodes that. Yes, you may have nothing to hide but can you honestly say that you are happy with anyone in the world, good or bad, being able to get this sort of information on you?
Simone was shocked with the information I obtained in a relatively short time. She really believed she was being careful and perhaps compared to a lot of people she was.
How can an attacker use this?
OSINT like this is a key component of successful social engineering and cyber-attacks every day, in every country across the globe.
Just scanning the list of information that we got on Simone I could email her pretending to be Amazon informing her that
“The Misha Glenny book on your Wish List has 40% discount for one day only. Click the link to receive the discount and buy now”.
This would likely work because that little piece of accurate information, knowing that a certain book is on her Wish List, will undoubtedly make her believe it must be Amazon contacting her. After all who else would know that?
The options for attack are endless. I could be her university telling her about an upcoming reunion. Maybe I could be Volvo telling her there was an urgent safety recall all V40s (okay that is a bit far fetched - it is a Volvo after all.)
Social engineering attacks aren’t just limited to quick and dirty phishing emails. I have worked on cases that have gone on for almost a year. The attacker used this sort of information to become best friends with the victim and manipulate them slowly into doing what they want them to do. I have seen dedicated employees turned into malicious insiders through this clever and scary process.
Interested in learning more about social engineering and open source intelligence?
Article: Reconnaissance for Social Engineering: Tales from the Road- A case study in shoulder surfing - How much information can you collect on an individual during on a airport shuttle service?
Article: The not-so-secret life of boarding passes - We discover what your boarding pass barcode really says about you. It is a lot more than you think!
Case Studies: learn about some recent cases of social engineering - Read about real life cases of social engineering. Prevent yourself from making the same mistakes.
Training: Come along to the only GCHQ certified social engineering course on October 17th in London to learn more about this fast-growing attack vector.