Thank you phisher

First, lethacking-2903156_1920 me shortly introduce myself;
My name is Technisette (yes, that’s a nickname, not a sock puppet), Dutch, 30+, female and have been working in the infosec business for the last 10 years. I’d like to tell you how I became OSINT curious.

I wasn’t always ‘OSINTcurious’. Of course there was always a little curiosity in me, but there was one incident which really lit my ‘OSINT’-fire:

Phishing

A couple of years ago, beginning of the 2010’s, I was working for this website where we had some problems with a couple of phishing websites. This was a whole new subject to me, I’ve never experienced phishing before. A friendly IT/security colleague took me by the hand and showed me what he was doing; he traced down email headers, was looking at domain name registrations and find out patterns in hosting. We used a various range of tools, from ripe.net to Google dorking for any personal information and even touched a bit of Wireshark. I was intrigued, this was interesting!

Since the clients of the website where losing money due to this phisher, I’ve decided to make it my goal to figure out who this person was.

Image verification

While investigating these phishing websites, we found some interesting clues. There were a various range of social media profiles which we were able to link to our suspect. These profiles were filled with a lot of pictures. Mostly from houses and offices. Because I really wanted to find the location of our suspect, I focused on those pictures.

I remember a couple pictures quite well; one of them was from a penthouse suite. From the balcony you were able to see a church tower. Also; there was no other higher building in sight. Because we knew the area the suspect might be in, I searched online to find high apartment buildings near churches and soon found one matching the apartment.

What was quite interesting was that this apartment was just sold and the website who offered the apartment for sale; had even more photos from the inside. I was able to match those pictures with the pictures we found.

I started verifying the location of where a picture was taken by looking at light switches, electrical wall outlets and traffic lights. Doing this we’ve found several office units, apartments in the Netherlands and out and eventually found the suspect. We were able to hand over all evidence to the police.

Doing these verifications, it changed the way I look at pictures and videos forever. When I look at a picture now, I quickly scan the topic of the picture but my attention is immediately drawn to everything on the background.
That’s why I can’t even watch a soccer game anymore; my focus will be on odd people in the audience, any commercial signs next to the field or maybe just whatever is outside of the stadium, but definitely not on who is scoring a goal.

This mindset has been very helpful in my current work and investigations. Due to watching so many pictures and verifying them, I’ve became very focused and curious when doing online research. I’ll always try to find out anything out of the ordinary and persist to find the answer to a question. Otherwise known as being OSINTcurious.

Thank you phisher

This might be a bit weird, but I’d like to thank you phisher. You’ve challenged me and got me interested in doing OSINT investigation, something I now do for a living. Thank you.

And for you, reader of this blog, if you ever get a phishing mail or ran into a phishing website: I challenge you to do the same. Try to find out whoever it is that is bugging you. Maybe your OSINTcuriousity will be lit and maybe you can make a living out of it one day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.