Posted on April 26th, 2019
EPISODE 120-Private Purchase Failures
This week, I discuss recent privacy news, my failed attempt to buy anonymous iPhones, how prepaid credit cards can get us in trouble, and a new Instagram search tool that can help query bio information.
Support for this show comes directly from the IntelTechniques online OSINT & Privacy video training. We now have over 90 hours of content, with more added every month. Listeners of this show always receive a 25% discount at https://inteltechniques.com/25.
Listen to all episodes at https://inteltechniques.com/podcast.html
or Subscribe at:
PRIVATE PURCHASE FAILURES:
Data Removal Workbook:
Silent Pocket: https://silent-pocket.com/discount/IntelTechniques
Filed under General | Comments Off on The Privacy, Security, & OSINT Show – Episode 120
Posted on January 2nd, 2018
It has been a busy month in regards to online search (OSINT) techniques. I have updated almost all of my online search tools and discovered several third-party options that have recently surfaced. Many of these were announced by others on my Forum and in the Slack Channel. All OSINT links and tools can be found on my TOOLS page.
IntelTechniques Communities Search Tool (https://inteltechniques.com/osint/communities.html): I created this new tool out of necessity. I am finding that many of my targets have a presence within online communities such as Reddit, Voat, 4Chan, Meetup, Topix, and others. This tool creates custom URL searches that are superior to the standard searching within a site’s search menu. These tools allow you to specify whether your target is a real name, email address, username, or domain name in order to isolate the appropriate results. While there are already dozens of options here, I anticipate this tool to grow quickly. Today, I added the 300gb+ Reddit archive API by Pushshift.
IntelTechniques Email Search Tool (https://inteltechniques.com/osint/email.search.html): I removed a few dormant search queries and replaced them with better options, including Email Hunter, Reverse Mails, and a few others. This tool now queries 19 services with a single search.
IntelTechniques Person Search Tool (https://inteltechniques.com/osint/person.html): I completely re-wrote this tool in order to incorporate some of the newest people search options, re-order the priority of the searches, and allow a quick execution of all search options. Specifically, I added Fast People Search, Advanced Background Checks, and a few others. This tool now queries 24 services with a single search.
IntelTechniques Reverse Image Search Tool (https://inteltechniques.com/osint/reverse.image.html): I updated the Baidu reverse image search. They changed the URL submission address, but all five image search options should be working now.
IntelTechniques Telephone Search Tool (https://inteltechniques.com/osint/telephone.html): I removed a few dormant search queries and replaced them with better options, including True People Search, Fast People Search, Advanced Background Checks, and a few others. This tool now queries 18 services with a single search.
Free Carrier Lookup (http://freecarrierlookup.com): This is one of three options I have found useful for identifying cellular providers of a target telephone number. The benefit with this service (and the others mentioned below) is that they will usually identify a VOIP provider. If you are researching an internet-based number, you will often find the service listed here, such as Google Voice, Twilio, etc. These have been much more helpful than the traditional sites that only say “VOIP Number”.
Text Magic Carrier (https://www.textmagic.com/free-tools/carrier-lookup): Similar to Free Carrier Lookup, this service identifies providers of landline, cellular, and internet telephone numbers.
Carrier Lookup (https://www.carrierlookup.com): Similar to Free Carrier Lookup, this service identifies providers of landline, cellular, and internet telephone numbers.
US Phonebook (https://www.usphonebook.com): This is yet another telephone search service, but I have found unique results here on occasion.
Fast People Search (https://www.fastpeoplesearch.com): This database appears to possess identical results as the True People Search option, with one huge caveat. Those that removed their search results from one site may still be exposed on the other.
John Doe (https://johndoe.com): This appears to be the same company as the previous option, but again, opt-outs from one service do not carry over to others.
Find-a-Grave (https://www.findagrave.com): This database is one of the most complete archive of grave locations, searchable by name. This can be used to help verify a death or locate a city of interest in relation to your target’s deceased relatives.
Reverse Mails (http://reversemails.com): Most of my individual email searches on this site have been unproductive. However, searching a target domain name has been extremely successful. You will likely locate full names, addresses, and telephone numbers associated with your target email addresses and websites.
Whoxy (https://www.whoxy.com/reverse-whois): This service searches an email address or real name and attempts to find any current or previous domain registration associated with the target. These sites are nothing new, but additional sources of this data can reveal traces that others have missed.
Hunter (https://hunter.io/email-verifier): This is now my favorite email address verification service. It checks formatting, notifies you if the address looks “risky”, verifies whether it is a disposable service, checks the mail records, and provides an overall indication if an address is real or fake.
TCPIPUtils (https://www.tcpiputils.com): This is yet another domain search tool. Most of the data here is redundant with other utilities.
DNS Trails (https://dnstrails.com): This is another Domain/IP search tool, but with much more benefit. When an email address, name, or physical address is associated with a domain, a cross-search identifies other websites of interest. There are other sites that also do this, but these options appear to dig a lot deeper.
URL Scan (https://urlscan.io): Similar to the previous two options, but this service also includes any historic screen captures, which could identify removed content.
Zoom Eye (https://www.zoomeye.org): This appears to be a clone of Shodan. However, I did locate unique data not available elsewhere. This is another search engine for online devices (not websites). In other words, this is where you go creep on people that did not disable guest access to their web cams…
My Geo Position (http://mygeoposition.com): This is a very thorough tool for converting coordinates, addresses, altitude, etc. There are no personal details on this site, but could be useful for verification of cited data located from other searches.
FakeSpot (https://www.fakespot.com): I don’t know how this helps in investigations, but it is interesting. Supply a URL to a product on amazon, and it attempts to identify the fake reviews, as well as provide an overall indication of the amount of robot-inserted reviews of products. It also displays reviews that appear identical to other products and isolates suspect user names that appear to be fake.
Better Tweet Deck (https://github.com/eramdam/BetterTweetDeck): This is not a website, but a browser extension. If you use TweetDeck for your live Twitter investigations, this software enables many enhanced features. My favorites are the ability to customize the format of dates, customize the format of names in tweets, and remove the t.co redirection on links.
Investigative Dashboard (https://data.occrp.org): This search engine provides access to almost 100 million data leaks such as property data and sensitive documents. A search of my own name revealed a handful of PDF documents which cited my work. I had never seen these before from traditional searching.
Vehicle Registration Queries: I have found the following websites will identify the make, model, year, engine and style when providing a license plate and state:
Note that the last two options will also provide the VIN of the vehicle, which can then be searched at the following:
https://www.carfax.com/processQuickVin.cfx (Provides Vehicle Data)
http://vin.place/searchVIN.php (Provides Name, Address, Vehicle)
https://www.vindecoderz.com (Provides Mileage)
https://www.checkthatvin.com (Confirms Vehicle Data)
https://www.nicb.org (Checks Theft Reports)
https://www.searchquarry.com/vehicle_records (Vehicle Make, Model, & Year)
Posted on September 18th, 2017
I woke up to an inbox full of email this morning about the computer cleaning application CCleaner. I have used it for many years, and recommend it often. It was announced that they were hacked, and the emails ranged in emotion from “Help!” to “Is this a big deal?” There are numerous online articles discussing the attack, but I found that almost all of them offer nothing of value. They generate panic, sell a few clicks on ads, and we all carry on. I hope for this post to provide some actual details and actions to be taken.
WHAT HAPPENED? Criminal hackers infiltrated CCleaner’s systems to introduce a modified version of the software. This new rogue version contained malware. When a user installed this version, available from August 15, 2017 through September 12, 2017, the user’s system was compromised and infected. The infected systems then continuously sent data to the attackers including the name of the computer, installed software and running processes. It does not appear (at this time) to have sent personal data or files. 2.27 million people were using the compromised software.
WHY? This attack was likely part of a larger potential attack. The type of data stolen indicates that the plan may have been to create a large network of compromised computers (Bot-Net) which could then conduct DDOS attacks or other large-scale actions.
WAS I INFECTED? This is the part that no one is clearly explaining. You must meet ALL of the following criteria to have been impacted:
Windows Computers Only – The Mac version does not appear to have been comprised.
32-Bit Versions Only – If you have a 64-bit processor and use the default 64-bit version of CCleaner, you were not compromised. You can identify your version of Windows easily with THIS GUIDE.
CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191: You are much more likely to have the standard version, but some users may be using the premium cloud version. Opening CCleaner will identify the version in the top of the application.
WHAT DO I DO NOW? This is the most vital piece that I have found to be missing from every online article. Avast (who owns CCleaner) says no need to worry, as they have disabled the rogue server and removed all of the malware with the latest release. That is fine for them, but does not mean that your computer is clean. I recommend that EVERY CCleaner user, regardless of whether you were actually infected, take the following actions today:
1) Update your version of CCleaner: Open the application and check for updates, installing any updates. This is actually a better action than deleting CCleaner, because their update removes the malware that was installed. Direct Download link: http://download.piriform.com/ccsetup534.exe
2) Install, update, and run Malware Bytes: This will look for any other malware on your system, including any triggered by the CCleaner attack.
3) Run a complete virus scan: For Windows 10 users, I still recommend simply using the default Windows Defender option. Windows 7 users should use Microsoft Essentials. No AntiVirus is perfect, and finding any reputable third-party options gets more difficult every day.
This attack could have been much worse. I am very disappointed in Avast and CCleaner for allowing this to happen. Fortunately, the damage appears to be minimal and eliminating the threat trivial.
Posted on June 5th, 2017
I have always encouraged people to check their email addresses on sites such as HaveIBeenPwned. If present, your account is included in a known breach, and you should change your passwords immediately. This site has been the standard as far as reported breaches, and the owner stays on top of the latest threats. I recently found Hacked Emails, which offers a very similar service. However, there are two key advantages with this newer service.
First, Hacked Emails constantly scans paste sites and other release resources, and immediately updates its database. This may be redundant information, but the constant update could reveal a compromised account that may not be present on other similar sites. Overall, I now check both of these services monthly for any of my email addresses that may have been compromised.
Second, Hacked Emails offers an API service, with a call from a URL. This means that unlike HaveIBeenPwned, you could submit a search request directly through the address bar of your browser. If your email address is firstname.lastname@example.org, the following address would retrieve your results:
The results may appear like awkward text, but the JSONViewer plugin to your browser would fix that. The main benefit of this type of search versus a standard search through their home page is that you could bookmark this page and always be a click away from the results. I have a handful of these bookmarked, one for each important email account, that I can quickly check for any new compromises. This is great for “Defense” when watching out for your personal accounts, but I also use this as “Offense”.
I often need to verify if an email address is real or fake. The various email verification services no longer work well on most domains, and are extremely unreliable under perfect conditions. Therefore, I use these services to check a target email address. If it appears in a breach, I feel confident it is a real address. If the breach was from 2015 or earlier, I know the account was not a “burner” created last week. Overall, I find these types of checks much more reliable than a traditional email validator. Below is an example of an actual email address search. It identifies the services used, which tells me more about the email address owner. Further, clicking on these links tells me the date of the breach and the types of information stolen and released publicly.
Posted on May 5th, 2017
Many months ago, the OSINT and Privacy communities were buzzing about FamilyTreeNow. This site possessed highly accurate details about most Americans, including home address, telephone numbers, and family members. It allowed an opt-out process for removal of personal data, but most people did not make the effort. Recently, a site that appears to offer a clone of that data has emerged at TruePeopleSearch.com. Even more interesting, the data that was removed from FamilyTreeNow is still present in TruePeopleSearch. I had already removed my personal details from a previous home address from FamilyTreeNow several months ago. The first search for my name on TruePeopleSearch a week ago revealed the same two previously removed records live on this site. This was quite surprising, and it appears extremely likely that the data source for these two sites is the same. I am now curious of how many more sites like these will continue to appear online.
If you would like to search for personal records, navigate to https://www.truepeoplesearch.com
If you would like to remove your records, navigate to https://www.truepeoplesearch.com/removal
Posted on November 19th, 2016
In 2011, I first posted about the importance of a credit freeze. I believe that there is an even greater need today to protect your credit report. The following update includes a fourth service that should be contacted as well as mailing and website address updates. This information should replace the details in the books. A complete PDF guide to a credit freeze is absolutely free after signing up for my newsletter HERE.
People often ask me about paid services such as Lifelock and Identity Guard, and how effective they are at protecting your identity. These services can be very effective, but you pay quite a premium for that protection. Personally, I simply freeze my credit. It’s easy, usually free, and reversible. What is all this frozen credit nonsense? Wikipedia says it best:
“A credit freeze, also known as a credit report freeze, a credit report lock down, a credit lock down, a credit lock or a security freeze, allows an individual to control how a U.S. consumer reporting agency (also known as credit bureau: Equifax, Experian, TransUnion) is able to sell his or her data. The credit freeze locks the data at the consumer reporting agency until an individual gives permission for the release of the data.”
Basically, if your information stored by the four credit reporting bureaus is not available, no institution will allow the creation of a new account to your identity. No credit cards, bank accounts, etc. If someone decides to use your identity, but cannot open any new services, they will find someone else to exploit. I can think of no better motivation to freeze your credit than knowing that no one, even yourself, can open new lines of credit in your name. This does NOT affect your current accounts or credit score and are simple to suspend when needed.
Credit freezes are extremely easy today thanks to State laws that mandate the credit bureaus cooperation. I will walk you through the process.
The first step will determine whether your credit freeze will cost you any money. The fee for the freeze is $10 for each of the four bureaus ($40). While this is well worth the protection, most states have a law that entitles identity theft victims a waiver of this fee. There is a great comparison of state laws on this at THIS LINK, and an interactive tutorial at THIS LINK. Currently, each of the four credit bureaus voluntarily waive this fee for victims of identity theft. A large portion of my readers have had some type of fraudulent financial activity. This may be an unlawful charge to a debit or credit card, or something more serious such as someone opening an account in your name. If you have had any fraudulent charges or activity, contact your local police to obtain a police report. Many departments, such as mine, have a form that the victim completes which becomes the report. Request a copy when complete including a case number.
Complete four packets that will be mailed certified mail. One will go to each of the four credit bureaus. Each packet will include the following.
A letter requesting the credit freeze. This letter should include the following information.
Social Security Number
Date of Birth
The following is an example:
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19022-2000
January 1, 2016
To whom it may concern,
Please accept this letter as an official request for a Security Freeze on my TransUnion credit file. Per your instructions, I have included a photocopy of my driver’s license and recent pay documentation. Below are my details.
John Patrick Doe
1234 Main Street
Chicago, IL 61234
December 1, 1980
I further request waiver of any fees due to my recent status as an identity theft victim in the State of Illinois. I have attached a photocopy of my police report.
Include a copy of your police report if you have one. If you do not have a police report, and do not want the $40 fee waived, you can complete the entire process online at the EACH following three sites.
Enclose a copy of your valid driver’s license or State ID, and a copy of pay stub, utility bill, insurance statement, or another official document that proves your identity. I made a copy of my license and a pay stub, and included this copy to each of the four requests.
These four packets will be addressed to:
Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348
Experian Security Freeze
PO Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022-2000
Innovis Consumer Assistance
PO Box 26
Pittsburgh, PA 15230-0026
Next, I recommend obtaining a copy of your current credit report, before it is frozen, at http://annualcreditreport.com. Look over this closely, and make sure everything is accurate.
Within a few weeks, sometimes sooner, you will receive a package from each of these bureaus confirming your credit freeze. They will also include a PIN number that you need to keep. This number will be required if you ever want to temporarily or permanently reverse the credit freeze.
If you want to reverse the credit freeze, you can do this online at the above websites. There will be a $10 fee per agency to do this. If you want this fee waived, you need to submit the request via mail again and include another copy of the police report. A temporary un-freeze would be done in the case that you want to establish new credit such as a credit card or loan. Be sure to generate this temporary reversal prior to the loan request, otherwise your loan may be denied. A permanent reversal will completely stop the freeze,and your account will be back to normal. Again, there is that $10 fee each time, which can be waived with a police report.
Unless you are constantly opening new lines of credit or use your credit to purchase real estate often, I highly recommend a credit freeze. It is simply the most effective way of stopping people from using your identity for financial gain. Lately, people are reporting that their under-age children are becoming ID theft victims. This freeze could apply to them as well. This will NOT stop someone from stealing your current credit card numbers. I have tips for that coming soon.
Posted on October 29th, 2016
Bulk ID Finder is a tool which will accept up to 20 Facebook user names and then export the unique user ID for each. This can be beneficial when you have developed multiple targets. Results can be exported to a spreadsheet file. Link:
Posted on October 29th, 2016
OfferUp is an online community for buying and selling products locally that is gaining in popularity nationwide. An attendee of a recent OSINT course in Seattle pointed out a nice strategy when researching sellers. The source code of the posts contain specific latitude and longitude coordinates for the seller’s location. I have not tested the accuracy of these, but this looks promising. Link:
Posted on October 29th, 2016
This is not so much of an online resource, but more of a search strategy. Flickr appears to no longer support search of their photos by the serial number of the camera. However, a detailed search on Google seems to replicate the success. Search:
site:flickr.com “serial” “Serial Number Here”
Posted on October 29th, 2016
Twilio Lookup is yet another reverse caller ID lookup option. This service appears more focused for VOIP users and identified 100% of the cellular numbers that I tested. This page appears to be a demo page displaying the proper server code to generate queries. However, the page is live and accepts unlimited live searches. Link: