Sunday, July 17, 2022

The Good & The Bad Of OSINT - Which Side Are You On???

 


Whenever we have talked about a Cyberattack happening, for a lack of a better term, had some comfort in the fact knowing that we could expect a malware, worm, a Trojan Horse of sorts, or even Ransomware. 

But given the advances of technology, a Cyberattacker does not have to do all of this anymore in order to steal PII.  He or she can build a profile on you based on a methodology known as “OSINT”, also known as “Open-Source Intelligence”.

Just as its name implies, this Open-Source data that is legal to get and use, after all, it’s available on the Internet. It’s really like getting a background check on somebody, but with that, you have to pay some sort of fee. OSINT is free, and it can also be viewed as a data aggregator. 

This simply means that it is a one place shop where you can collect the information that you need that is collected from hundreds of different sources.

OSINT and be used for both the good and the bad.  For example, I did a podcast some time ago with a client that had an OSINT based business.  The degree to which he was able to use publicly known information totally blew me away.  He narrated this story of how they were able to solve a hit and run accident, even the police could not solve it. 

If I remember correctly, it all came down to collecting a small piece of car paint, and matching that up with other cars that passed by, which were taped by the CCTV cameras.  In a way, this also reminded me of the unfortunate incident of Pan AM Flight 103, a Boeing 747 that blew up over Lockerbie, Scotland.  It all came down to locating a tiny electronic component which forensics were able to trace back to a store in Libya.

Then, I wrote an article for a client about the OSINT methodology, and how some of the components of it could be used to hypothetically protect a well-known movie star.  But with the good, comes also the bad, and this is where ethe Cyberattacker now comes into play. 

As mentioned before, they no longer have to access the innards of your IT and Network infrastructure, and move laterally in order to get information about you. 

All they need are the tools of OSINT, a very close examination of your social media profiles, and the use of some AI and ML tools.  From here, they can build a whole new profile about you, even a create a totally different facial structure of you using Deepfakes (I think I just wrote an article about this a few weeks ago).  But the end result of this totally scary. 

With this newfound profile, a Cyberattacker can now launch ID Theft attack against, and you may never even know about it.

At least in the past, the Cyberattacker would have to know some specific information about you, such as your Social Security number, or Driver’s License number, but even this is not needed anymore.  With all of this, a Cyberattacker can easily open up new bank accounts, credit cards, you name it. 

But you are not going to believe this also.  There are also tools out there that let the Cyberattacker create that fictitious profile about you. 

This tool is called “Fake Name Generator”, and example of a fake profile can be seen below:


(SOURCE:  https://www.darkreading.com/attacks-breaches/how-hackers-create-fake-personas-for-social-engineering)

Heck you even create a picture of a real person that looks almost like the real thing by using a tool called “This Person Does Not Exist”.

My Thoughts On This:

Ok, I even find this to be rather extremist, and I have been in Cybersecurity for years.  But keep in mind, even in the case of digital attacks, the Cyberattacker will always leave behind some evidence, even to the smallest amount that is possible.  In the case of a faked profile like we have been talking about this blog, look for some of the following clues:

*A person looks head on, directly into the camera lens;

*There will be some nuances in their facial structure;

*Other extraneous accessories can fade in and fade out.  For example, if the subject is wearing earrings, one lobe of the ear may drifting further down than the other ear, although the earrings may look completely identical;

*The sides of the picture have some strange sidings to them.

What can you do to help avoid in becoming a victim in these kinds of scams?  Well, the first rule is never to respond to anything that you are suspicious.  For example, I get tons of robocalls and suspicious emails every day.  All I do is never respond to the phone call, or simply delete the email. 

But there have been numerous times in the past where I have received emails which seemed to questionable, but I had some doubts about that as well.

So in these cases, I normally try to find the Linked In profile of the person in question, and if I can’t, then that is a huge red flag.  I try to check out their Social Media profiles, and if there is nothing there, then I just delete the email.  But keep in mind that the Cyberattacker could quite possibly be ahead of you in this regard, by having a fictitious Linked In profile and Social Media sites already populated.

Then there are the other rules as well:  Check your credit card and bank account balances at least 3x a day, and always monitor your credit report.  If possible, try to have a good friend even conduct a background check on you to make sure that everything is clean.  Finally remember that the Cyberattacker does not have to use just digital means to get a hold of you.

Attacks using the snail mail have now been on the rise, so pay careful attention to those as well.  In the end, if you have any doubts that you simply cannot resolve, or if you feel that you have become, always contact your local FBI office.  They will always be glad to help you out, and they will have the specialized tools needed to examine any evidence that you give them.

 


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...