Category: Privacy

The Privacy, Security, & OSINT Show – Episode 287

EPISODE 287-Listener Questions, UNREDACTED 5, & OSINT 10

This week I present the latest issue of UNREDACTED Magazine, publish my new OSINT book, and tackle numerous listener questions.

Direct support for this podcast comes from our privacy services, online training, and new book for 2023  Open Source Intelligence Techniques (10th Edition). More details can be found at IntelTechniques.com. Thank you for keeping this show ad-free.


SHOW NOTES:

INTRO:

No Agenda Podcast

UNREDACTED 005:

https://inteltechniques.com/magazine.html

OSINT 10:

https://inteltechniques.com/book1.html
https://inteltechniques.com/tools

LISTENER QUESTIONS:

Conversation with Naomi Brockwell from nbtv.media


Free Guides: https://inteltechniques.com/links.html

Affiliate Links:
OSINT Techniques (10th): https://amzn.to/3VIlP74
Extreme Privacy (4th): https://amzn.to/3D6aiXp
Proton Mail: https://go.getproton.me/aff_c?offer_id=7&aff_id=1519
Proton VPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=277


The Privacy, Security, & OSINT Show – Episode 286

EPISODE 286-Closing Out 2022

This week I offer some year-end privacy and security considerations, disclose another benefit of breach data, and announce the annual listener questions show.

Direct support for this podcast comes from our privacy services, online training, and new books for 2022: Extreme Privacy (4th Edition) and  Open Source Intelligence Techniques (9th Edition). More details can be found at IntelTechniques.com. Thank you for keeping this show ad-free.


SHOW NOTES:

INTRO:

Jeopardy!

NEWS & UPDATES:

Listener Questions
OSINT Techniques Book
UNREDACTED Magazine
https://inteltechniques.com/blog/2022/12/12/uncovering-a-stalker-with-breach-data/

CLOSING OUT 2022:

Clean Devices
Update Devices
Scan Devices
Backups
Comms Audit
Home security audit
Financial Audit


Free Guides: https://inteltechniques.com/links.html

Affiliate Links:
Extreme Privacy (4th): https://amzn.to/3D6aiXp
Proton Mail: https://go.getproton.me/aff_c?offer_id=7&aff_id=1519
Proton VPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=277


Uncovering a Stalker with Breach Data

In 2019, a client of mine suffered a terrifying case of harassment which lasted many months. It included numerous threatening text messages, countless emails, and two physical package deliveries. It caused her to embrace an anonymous life with a full privacy reboot. She now lives in an anonymous home, and sleeps well at night knowing that no one can find her. However, it understandably has bothered her to not know the identity of her adversary. Today, she knows, and has allowed me to share redacted details about the investigation.

A website called "Get Revenge On Your Ex" (https://www.getrevengeonyourex.com) has been around for over a decade. It is one of many services which will blast text messages and emails to any victim for a small fee. With so many ways to harass people anonymously today, I don't think it is used as much as previous years. However, it has been on my radar for some time. I previously had no evidence this service was used as part of the harassment campaign targeting my client, but I do now. In September 2022, the site was breached and all user data was stolen. The post is below.

Below is the current view of the breached website.

When we digest data breaches, leaks, logs, and ransomware, our offline system immediately queries various client data to identify any new exposure. This new data set hit on my client's cellular telephone number. This breach included a file titled "v2ordersms.txt", which appears to contain every outgoing message sent by this service since 2009. This file includes entries for "phone", "message", and "timestamp". A fictitious entry would appears as follows.

"2025551212,I'm going to kill you,2021-01-01 00:11:49"

I will only display fictitious details throughout this post, but I will include the proper format of data in order to follow along with the investigation. I reviewed our internal reports and verified that the text message from this file matched the threat received by my client, as well as the cellular number associated with the message. This breach included numerous files extracted from the service, but it was difficult to associate a specific message with the suspect who purchased the harassment. While there were files which included the email addresses and plain-text passwords of all customers of this service, I could not immediately tie one account to the threatening texts, emails, or packages received by my client. Therefore, I began analyzing the timestamps.

In the previous example, the message was sent on 2021-01-01 at 00:11:49. I do not know which time zone this was, but I do know the date(s). I also acquired the dates of other messages sent to my client by the unknown suspect. I then opened a file called "v2rawpaypal.txt" from this breach. It contained all PayPal transactions in chronological order. I immediately noticed the following record (modified for privacy).

"2xxxx, "Thu, 01 Jan 2021 13:", Sale value: USD 2.96, Jon Doe, 111 south main, Apt 200, Los Angeles, California, 90000, 717.115.134.94, [email protected], The above payment has been processed. security code comparison - matched postcode comparison"

I immediately accessed the file titled "v2paypal.txt" to compare the purchase with PayPal details from another view, and they matched:

"717.115.134.94, Anonymous SMS, [email protected], 2021-01-01 at 00:17:42"

NOTE: These modified examples simply show the structure. The data I discovered included what appeared to be a real name, email address, and IP address. These entries identified that "[email protected]" from IP Address "717.115.134.94" ordered a fake SMS from this service and paid via PayPal the amount of $2.96. I then compared the orders from additional dates to my report and saw the same person's details each time.  This was much more than a coincidence.

Surely they used a VPN, right? Nope:

"OrgName: Charter Communications Inc Comment: Legacy Time Warner Cable IP Assets"

This doesn't tell me anything about the suspect, but a subpoena would. Unfortunately, I no longer have that power. However, I now have a suspect. I contacted my client and offered the details. She did not recognize the name and email at first, but called me later after she realized it was a man she worked with for a short period of time in 2020. I now feel confident that we know the identity of the suspect. I now let her decide how we proceed.

I post this to highlight the benefits of breach data. While most breaches include damaging details which could harm innocent victims, we occasionally encounter a breach which shares the exposure with criminals who think they are anonymous. I believe these are the successes which should be discussed when the ethics of data access are debated.

Oh, and if you are one of the 71,000 customers of "Get Revenge On Your Ex" who used PayPal to pay for the service, you are extremely exposed. Once online investigators start digging into this data, you may be the one who feels harassed.