The Two Sides of the OSINT Coin: A Tool for Hackers and Against Hackers by Gergo Varga

The cybersecurity and fraud world plays host to a relentless series of “cat and mouse” games between criminals and those who work to thwart their efforts. 

Open source intelligence (OSINT) is a great example of how technology can be used both by nefarious hackers and by those who seek to turn the tables on them.

In this article, we explore both sides of the OSINT coin. But first, a quick explanation of how OSINT works.  

The Basics – What is OSINT?

Open Source Intelligence, fundamentally, is all about gathering information that’s out there “in the wild.” This means any data people can access from public sources, ranging from social networks to formal public records. 

It can also go much deeper than that, drawing on information shared on message boards and forums, or in published documents and articles.

It’s surprisingly easy to access much of this information. It’s often possible to collect an abundance of information on an individual from a simple search engine query. Add in the use of advanced search engine operators, such as those available on Google, as Zyxware Technologies explains in a feature, and it’s possible to drill much deeper.  

Individuals tend to leave plenty of personal data available for public consumption. Due to a lack of privacy awareness, a desire for “visibility,” or a combination of both, people often make it very straightforward for others to access an abundance of personal information. 

Five minutes spent manually searching Google, Facebook, Twitter, LinkedIn and Instagram can often produce a scarily detailed profile of an individual. 

Dedicated tools, as explained in a breakdown of how fraud prevention products work by SEON, take things even further. By automating the collection of OSINT data, they enable comprehensive digital footprinting and combine this with device fingerprinting, IP analysis and other functionality to inform the fight against fraud using a multi-layered approach.

This means pulling together open source information from multiple sources, and making it easily accessible. Simply provide one piece of key identifying information, usually a phone number or email address, and you can find out much of what’s “out there” connected to that information. 

This is a process known as data enrichment. It makes it easy to create a detailed profile of an individual from only one or two key pieces of information.  

As you can probably see already, the use of open source intelligence is valuable both to hackers and to those combating them. Next, we look at how both the good people and the bad can make use of OSINT. 

How Fraudsters Use OSINT

OSINT helps fraudsters to add more pieces to the puzzle when gathering information on potential targets. 

For example, from just a phone number, they could ascertain which mobile network a person is using. They could then make use of this as part of a phishing attempt, appearing far more credible due to that knowledge. 

People are more easily fooled if they receive a call or email claiming to be from the network they are a customer of. Add in the ability to easily spoof email addresses or phone numbers, and that one piece of open source intelligence is enough to pull off some successful scams.

It doesn’t help that people often hand out additional pieces of information without giving it a second thought. 

Many of those “what’s your elf/rock star/Viking name?” quizzes on Facebook, where people hand over their place of birth or even their mother’s maiden name, act as a way of providing criminals with yet more puzzle pieces. It’s not hyperbole to say that they’re used for identity theft – it’s often their sole purpose.

The nuggets of information hackers can glean from OSINT help them hugely with practices such as CEO fraud and spear phishing;. 86% of businesses experience the latter, according to data from insurance company Hiscox. 

Ultimately, there are always multiple routes to a successful hack. For example:

• Some information gleaned from LinkedIn could be enough to convince a staff member to transfer money or reveal confidential information in a case of CEO fraud. 
• A cybercriminal could compromise an account after grabbing a password from a data breach and trying it with somebody’s other online accounts.
• A hacker could take the information they’ve gained from OSINT and use it alongside techniques like password spraying. 

One thing we can be sure of is that hackers’ methods will continue to grow more sophisticated. Deepfakes and voice impersonations are the kind of things companies like Vodafone now warn about. Put together some information gathered from OSINT techniques with a convincing-sounding phone call from the boss, and plenty of people will be taken in. 

Thankfully, open source intelligence can also be used in the opposite direction. 

How to Use OSINT Against Fraudsters

Using OSINT against fraudsters flips the script. 

Consider a scenario where somebody receives an email they’re suspicious of. The use of something like a reverse email lookup tool empowers the recipient to do some simple due diligence on the sender. 

Is the account genuine? Was it sent from the claimed location? Does other data out there support the legitimacy of the sender?

As we’ve established, something as easily accessible as an email address or phone number can provide a wealth of information. This means that OSINT can be used for prevention as well as attack.

Data Enrichment

A good example of how this can work in practice is the use of data enrichment. Instead of merely seeing a phone number or an email address, people can be given the ability to see all the other publicly available information that links to it.

There are various ways to accomplish this. For example, SEON’s fraud detection tools can be queried using a manual lookup, or using a Chrome extension. Businesses can also go one step further and integrate the enriched data via an API. 

In practice, this could mean call center operatives seeing much more than just the incoming phone number when a call comes in. They can know if that person is really in London or using a virtual number. 

Similarly, somebody with an eCommerce store gains instant intelligence on new customer sign-ups and orders, alerting them to newly created “disposable” email addresses, or people with a suspiciously small digital footprint. 

Checks can be manual, coupled with staff training (see below), or automated with the use of a risk score that is based on all of the information available. This means that legitimate customers are allowed through with no friction, while more suspicious interactions are flagged for further investigation. In some cases, the risk score alone could prove enough to automatically reject a transaction or a login.

Despite the technology available, it’s crucial to remember that human error is still a key point of failure for many companies targeted by hackers. 

The Importance of Training

All too often, company bosses hope to eliminate their security issues with technology alone. While software solutions are now much more sophisticated, the importance of staff training and awareness never goes away. 

As O2 points out, “back stories (are) becoming more and more refined.” This is hugely relevant to open source intelligence. Cybercriminals specifically seek out information that makes them sound and appear more credible to their targets. This can involve anything from knowing a person’s mobile network or knowing where their manager has gone on holiday.

Empowering people with fraud prevention tools can do much to raise awareness. Getting a team routinely used to not taking things at face value is a great step towards decreasing incidences of fraud. But it must go hand-in-hand with training. 

As we said right at the start, this is a constant “cat and mouse” game. Hackers constantly innovate, finding inventive new scams designed to catch out even the most web-savvy people. 

As such, cyber awareness training cannot simply be regarded as a one-off thing. It’s crucial to continually educate teams on the latest scams and threats, to keep that training up to date. 

As an aside, it’s also worthwhile to ensure that cyber awareness training also teaches people not to so readily hand out information that could form part of an OSINT dataset. Employees of all backgrounds need to understand that even those Facebook quizzes carry risks!

Effective training and reliable software create a perfect combination. Automation, such as API integration, is even better. Knowing that an incoming call or message originates from somebody with a questionable “risk score” can help people to “put their guards up.” 

This should mean that they ask the right questions, and perform extra due diligence before completing transactions or handing over sensitive information. 

The nature of open source intelligence does make it a double-edged sword. The information is “out there,” so it’s inevitable that bad actors will do all they can to exploit it. However, it’s also hugely valuable for businesses and individuals trying to protect themselves from fraudsters. 

Criminals are making use of this data. It’s only logical that everyone else does too.

ABOUT THE AUTHOR

Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He's the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager / Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what's happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.