Many people are lead to believe that in order for Open Source Intelligence to have any utility, they have to be a private investigator, a law enforcement officer or be in the intelligence and that is far from the truth. Now of course you might not have a need for it daily, but every now and then you will and if you have these skills when time comes, you will get an upper hand. You will be invaluable to your family, friends, loved ones and self.
I haven’t been writing much lately because i’ve had a lot on my plate, but i have been contemplating the fact that even outside my information security journey i use Open Source Intelligence. This post is (i hope) one of many that will demonstrate the utility of OSINT and some valuable tips related to it. I am also currently working on a series of blog posts about OSINT Fundamentals and i hope to post the first one shortly.
The following story is from December of 2018. All names, links and locations are fake. The story itself is real, but measures are needed to protect the identities of everyone involved.
Once a upon a time, i get contacted by a friend of mine who lives in Ukraine. He has just started dating a girl named Alice and she was unfortunate enough to have some very toxic and potentially dangerous acquaintances. Those acquaintances in a way unknown to my friend Max got Alice’s Telegram handle and started messaging her. The first person started off the exchange with the following niceties:
I know what college you go to, i know what train you take to get there and i will cut off your head and rape you.
Alice was of course unsettled by this and let my friend Max know what happened. He asked for the person’s Telegram name and messaged him. After a short and unpleasant exchange the person decided that he wants to cut off Max’s head also. The person’s nickname was Facebook+. He escalated the situation by saying the following:
Found you and your dumb girl. Tomorrow on Borodianka she’ll be fucking done. You two make me sick
If not for the message above, i would not have been called to assist. Both me and my friend Max are of a generation that grew up with the internet, so we know very well that trolls and some death threats should not be taken seriously, but that was not the case with this one. Our suspect named the Borodianka, a train station that Alice takes and in a separate message he also named her college, so his earlier correspondence was no bluff at least in what he knows about her. This prompted further investigation on our part into who the hell that person is.
Ukraine of course has their own language, but almost half of all Ukrainians speak Russian natively and as a Russian speaker i was able to assist my friend with these threats. At that point we knew nothing of our suspect aside from a nickname that was not yielding any results. When you have a person like this that is privacy-aware and leaves no trace to his identity, his greatest weakness is that fact that he is still in contact.
Max was not giving into the intimidation and Facebook+ was noticeably infuriated. Their long exchange of insults lead to another person interjecting themselves into this conflict. A person nicknamed Auriel messaged Max and started insulting him. This was a crucial moment because Auriel was somebody Alice knew. They met online a couple weeks prior and went out once. Alice recognized his nickname and gave Max Auriel’s social media profile. VK is the most popular social media website in Russia and Ukraine and is of great help in investigations into people from those countries. The real name of Auriel was Arthur.
Arthur knew that privacy is important. He had real photos, but a fake last name and the number of groups he followed was too vast for us to sift through and be able to acquire any useful clues. The list of his friends yielded no useful results either, as he did something very clever on purpose: he botted to get 500 friends. We knew that he did because he had 300 followers, all of whom were banned and deleted, something that happens frequently to profiles that are caught botting and spamming. No friends stood out and even when we tried to make a pie chart of his friends’ cities, most common ones turned out to be from 2 big Russian cities. Our only remaining vector of attack for that profile was the pictures. Those were certainly real and there was one that sparked my attention: it was of him kissing his girlfriend in a trunk of a car. Their faces were not visible, but the picture was unique and has not been published anywhere else, according to Google Images reverse image search. That picture was crucial to our investigation later on.
Something that should not be overlooked when investigating people online is the links to their profiles. Many services and websites let users customize their profile link and many people tend to use their nicknames/logins for that link. VK was no exception and allowed users to do just that. Arthur had a link that resembled something like vk.com/aurielz, which was a simple permutation of his nickname we learned earlier. It was still not unique enough to be identifiable and yielded a lot of results when we ran it through nickname search. The only two websites where that nickname came out unique were Steam and Instagram. Both had permutations of the nickname similar to the one we saw on his VK profile.
Firstly, we investigated the steam profile. It turned out to be the Arthur we were looking for, but the profile was not very useful to us. We only got his friends list and his groups. He only had one group and it was called Green Blade. It was a clan for some game and the group was devoid of any information. We looked through his friends’ profiles and came to the conclusion that it was probably for Warframe, as it was the game they played the most. One of his friends posted screenshots to his profile and one of them had Arthur’s in-game nickname that was different from his steam name. It was yet another permutation of his nickname and we quickly ran a search on the Warframe forums. It turned out our friend Arthur participated in giveaways happening for the game, but his profile did not tell us much aside from that. His steam and Warframe lead us nowhere, but we needed every bit of information we could find on him. We found a history of his raids in Warframe on gg.op and proceeded to make fun of him for failing the last one.
What was way more fruitful was his instagram. The pictures were nothing new and were nearly the same as the ones in his VK profile. His amount of followers was reasonable and less than a 100, so it was easy for us to sift through them one by one if need be, we just needed to know where to start and what to look for. We knew he had a girlfriend, so we decided to focus on finding who that is. His pictures would always get 20-30 likes and we looked at everybody who liked them. There were 7 girls who would often like his pictures and we started looking through their profiles. Four of them had their profiles private, but three were open. When looking at pictures of one of them, there was a bingo moment for me. The unique picture of Arthur kissing his girlfriend in the trunk of a car was there. If not for that picture, we would not be able to identify which girl he was dating. Her name was Sofia.
It really does not matter how seriously you take privacy on social media, because you will always have connections to people who don’t. Arthur did his best to protect his personal information online, but his girlfriend loved social media and was very open. Sofia had her real full name in her instagram profile and from there we found her VK profile that Arthur was concealing (she was not visible in his friends list because he toggled an option for that). From her VK profile we found her private instagram, her Ask FM profile (social media with a question-answer format) and most importantly, Arthur’s second VK profile.
His second profile had a fake first and last name and just one real picture. This profile had posts going from early 2013, which lead us to conclude that it was his first profile and that he later switched to the one we saw before. This profile had 300 friends, but they were grouped, so some of them were labeled. A profile that shared his last name was labeled as a best friend and we decided to check it out also. It turned out to be Arthur’s third account. This one had even less privacy settings than the second one. This one had family members labeled under friends. We found his mother’s name and profile and from there we found her profile on OK (another Russian social media). Her account on OK had a load of real information and pictures and at that point we had enough to show the intimidation duo that they are no longer anonymous.
Our last bet before we confronted them with all the information was to send an IP logger to Facebook+. Max asked him a question and sent the logger link that would collect the IP address of anyone that clicks on it, but Facebook+ was of course even more privacy-aware than his friend Arthur. He just laughed because he knew what we were trying to do. In our circumstance it was a full-out war, so they knew we are trying to dig out information and the failed logger attempt did not hurt our efforts, however if you are investigating someone who does not yet know, you have an advantage and a chance of the person clicking. You also have a chance of ruining everything for you if the person finds out. If your investigation is ongoing and the person is alerted to that, they will do their best to close and cover everything up as much as they can before it’s too late.
The reason people value anonymity on the internet is because it makes them safe. If your identity is protected, things you say will not put you in danger, no matter how vile or controversial they are. Anonymity is a great thing, but bad guys use it too. When you strip those bad guys of their anonymity and show them just how exposed they are, they become afraid and even if they don’t show that, they are. It is hard to talk shit to people online, knowing that they live in your city and they know who your friends, family and loved ones are. It was not Arthur telling Alice that he will cut off her head, but it was his friend Facebook+.
In order to fend off Facebook+, we used Arthur as a lever to apply pressure. We confronted Arthur with all the information we collected and that was the moment all correspondence from him and Facebook+ ceased. He was surprised at how resourceful we turned out to be, so the next morning he messaged Max with this:
Thank you for the boxing. I didn’t know how good you were. I am too old for this.
Max agreed and since then, no threats were lunged at him or his girlfriend.
The moral of this story is that OSINT is not something only cops and spies would need. It is something that every ordinary person needs. Our lives are increasingly more digital and harassment is not going away anytime soon, it’s only evolving and so should you.