How To Blow Your Online Cover With URL Previews

Posted on January 3rd, 2019

Originally posted by Justin Seitz on the Hunchly blog (, and used with permission.

URL previews are a nice feature found in most messaging applications. It allows you to paste a URL to a friend or colleague, and have a handy miniature view of the website you are about to view. The downside is that a lot of applications generate these previews without you knowing that it is happening behind the scenes. In some cases this can equate to you disclosing your public IP address in a manner that you likely wouldn’t want. Don’t forget: when you browse to a website your public IP address is exposed. This is just how the Internet works unless you’re using Tor or a VPN to hide it. The difference with URL previews in messaging applications is that you are broadcasting to the website owner that you are discussing the website, as opposed to just browsing to it. This small and subtle change in context is actually quite an important distinction. You’ll see why very shortly…

A Little History

A few years ago I was on a penetration test where I was attempting to spearphish executives at a well known corporation in Europe. They had one of the most brilliant CISOs I had ever met and an absolutely amazing incident response team on staff. After I sent the initial round of phishing emails I was monitoring my command and control server to look for connections from users, anti-virus, or anything else that might indicate that I was either having some success or was about to be caught. After a few hours there was not a lot of activity until my web server received a connection from an IP address that resolved back to Skype. This was a WTF moment for me since my phishing server was brand new and there didn’t seem to be a good reason why a Skype server would be touching it. A few minutes later another hit from a different Skype server. Now I was really pondering what was going on. Then it dawned on me: someone was discussing my command and control system during a Skype chat, and Skype was generating previews of the phishing site I had setup. I performed a couple of quick tests using my own Skype account, and sure enough, I could reproduce the issue easily. I now knew that the incident response team was on to me, and it was time to switch tactics. But this also raised a much larger issue in my mind when it came to online investigations, incident response and running covert online operations.

How Does This Apply to Online Investigations?

There are two viewpoints here: one is from an investigative standpoint and the second is from the standpoint of you running a covert operation through a website. From the investigative standpoint, if you are passing URLs back and forth with a fellow investigator you may end up notifying your target that you are talking about them. This is exactly how I figured out that the incident response team was on to me during my penetration test. You likely don’t want this to happen. The second standpoint is where you are running a website for a covert online operation. You can monitor for these URL previews and determine that someone is discussing your site, potentially letting you know that your ruse is working or that you might be caught out (again, context is important and mission-dependent here). Either way, it is a unique set of behaviours that can be observed that is not general browsing activity.

Test Results from Various Platforms

I did some quick testing of various messaging clients and services. The test was to simply setup a Python web server on a Digital Ocean droplet ($5/month plan is sufficient). The Python web server just printed out the IP address and headers of the connecting client. I also setup a DNS record specific for this testing so that I could try using IP addresses vs. domain names. WhatsApp was the only service tested that responded differently for IP addresses vs. domain names. Every other service was happy to generate previews for an IP address. There was also no difference between using an HTTP vs. HTTPS URL. Here is a summary of findings:


We, like many other companies, live on Slack so this was the first test I performed. Slack was happy to generate URL previews and identified itself with the following User-Agent:

User-Agent: Slackbot-LinkExpanding 1.0 (+

The IP address of the request was from my publicly facing IP address through my office connection in both mobile and desktop versions of Slack.

Apple Messages

So Messages was an interesting test that had some pretty unique behaviours. If you post a link from Messages on your desktop/laptop it will generate the preview directly from your public IP address as can be expected. The user agent shows:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0

Pretty interesting that you see the Facebot Twitterbot pieces in there but this was actually picked up by a Reddit user as well. Here is where things can be a bit more interesting: if you are sending an SMS phish to a target you can enhance the URL preview experience a little by ensuring you have a file named:


The Messages app will attempt to retrieve this file once it determines that it can successfully reach the target web page. This file will be used in the preview that is generated and could help to entice your target to click the link. It can also be a way of acknowledging the fact that Messages was the application doing the URL preview in the first place.


Wire is pretty interesting. When you post a URL from the app both on desktop and on your mobile phone your public IP address will show up in the logs. However, there are no User-Agent headers that show up. In fact the only header that Wire sends is:

Connection: close

So this in itself is interesting because many of your HTTP clients (browsers, crawlers, bots, etc.) will send additional headers. By Wire stomping out all information this does become a “tell” that perhaps someone is discussing a target site in the Wire application. Further tracking of how often you see this limited set of client headers would have to be done in order to come up with something more statistically relevant than my single observation. Note that in Wire there is a setting in Preferences -> Options called “Create previews for links you send.” If you disable this it will prevent Wire from doing these URL previews. I recommend you do this. Thanks to Michael Bazzell for assistance with this one.


Facebook also announces itself, but it uses Facebook-owned infrastructure to hit the site for a preview. You will see a User-Agent header of:

User-Agent: facebookexternalhit/1.1 (+

It doesn’t use your public IP address but does indicate that someone has posted a link to the target site on their Facebook profile or have sent it via Facebook Messenger. The IP address you see show up will be registered to Facebook so you can use a site like to look it up.


WhatsApp behaves somewhat differently than the other services. It will not honor IP addresses directly but if you type in a domain (and any port) it will attempt to do URL previews. Additionally, it will do continuous requests as you type the URI of the target page as well which generates a lot of traffic. The User-Agent looks like this:

User-Agent: WhatsApp/0.3.1649 N

The request comes from your public IP address.

Services That Didn’t Generate Previews

There were some services that didn’t generate any previews or traffic when pasting links, or typing URLs. Of course you should test this yourself to verify.

Signal (Desktop/Mobile)
Skype (Desktop/Mobile)
Sudo (Mobile)
Threema (Mobile)
Twitter DM (Mobile/Web)
Wickr (Desktop)

All of the mobile testing was done on an iPhone X so there may be differences with Android that aren’t covered here. There are probably a ton of other messaging apps out there that you could test, and you absolutely should. Feel free to let me know and I can update this post with your results.


There are a few things you can do to help mitigate the risk:

Defang your URLs — This is simply the method where you replace the dots and colons with other characters, or use brackets. An example could be:


Defanged: hxxps://www[.]hunch[.]ly

Use a VPN — this is a secondary suggestion really as it is isn’t mitigating the original problem but for the services that are spitting out your public IP address this will at least obscure it.

Filed under OSINT, Privacy, Security | Comments Off on How To Blow Your Online Cover With URL Previews

Data Removal & Credit Freeze Workbook Update

Posted on January 2nd, 2019

Happy new year everyone! What better way to start off than to remove your personal details from the internet and lock down your credit? The latest version of my free workbook is now available at the following link:

Change log:

Several new sites added
Several dead sites removed
Three service links updated
Top 10 list added
Dates with every update. Search “January 2019”


Filed under ID Theft, Privacy, Security | Comments Off on Data Removal & Credit Freeze Workbook Update

Data Breach at Privacy Company Abine/Blur

Posted on December 31st, 2018

Two weeks ago, I was made aware of a data breach that hit close to home for me. Abine, the company that makes the email/cell/credit card masking product Blur is the latest organization to announce that it has been breached. I have recommended Blur on my show and in my books, and I use it every day myself. I have been in communication with Abine since December 17th, 2018, and agreed to delay any reporting until they knew their systems were patched and had a chance to publicly announce the issue, which they did today in a blog post at

Before we all panic, let’s take a look at the exposure.

Access was gained to their systems near the month of January 2018.

Data was stolen in reference to members registered prior to January 2018.

This data included the user’s:
Email addresses
First and last names
Password hints from the MaskMe product
IP addresses used to login to Blur
Encrypted Blur password (encrypted using bcrypt with a unique salt for every user)

There is currently no evidence that external usernames and passwords stored by the password manager feature, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed in this breach. There is also currently no evidence that user payment information was exposed in this breach.

I have accessed my personal details released in the breach. In it, I could see the email address I used during signup (unique junk account), my IP address used during signup (VPN), my name used (alias), and my password (encrypted and unique). I plan to release a special episode of my podcast today in order to tackle some of the issues learned during this breach.

If you used a strong and unique password for Blur, you have little to worry about.
If you used an alias and a VPN, no big concern there.
If you used your real information, you can be searched by those that have access to the data.
Everyone with a Blur account should change their password immediately.

I did not use their password manager, but if I did, I would change every password stored in it out of precaution. We never truly know the extent of the data accessed.

Filed under Hacking, Privacy, Security | Comments Off on Data Breach at Privacy Company Abine/Blur

The Privacy, Security, & OSINT Show – Episode 105

Posted on December 28th, 2018

EPISODE 105: Advanced Disinformation & Telephone Archives

This week I wrap up the discussion about disinformation techniques and present a new OSINT tool that pulls historic phone numbers, names, and addresses.

Listen to all episodes at

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify



Silent Pocket:


10-50 Victim





Q: Let’s say I have a VeraCrypt container that contains my .kdbx password database file.  Now I go in and remove the .kdbx file extension, so Windows just sees this as a generic “file”. If someone somehow cracked into my VeraCrypt container, would they have any way of knowing that file is in fact a KeePass database?  Assuming that I don’t name the file “my_keepass_db”, would this be a valid way to disguise my database? Whenever I need to access the file I could just add the extension back temporarily.

Q: To complete a vetting process, the organization I am working with uses PeopleFacts to complete a back ground investigation. I have provided all of my real life information to this web site with exception to my Social Security Number. What is your take on this risk?

Data Removal Workbook:

Please submit your listener questions at

Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 105

The Privacy, Security, & OSINT Show – Episode 104

Posted on December 21st, 2018

EPISODE 104: Australia vs. Privacy

This week, I talk with Paul Ashley about the Australian Assistance and Access Act and what it means to all of us globally. I also recap the recent OSINT webinar and discuss new ways of searching breach data.

Listen to all episodes at

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify



Pay With Privacy:


Marriott Calls


Paul Ashley



Q: When one prints digital photographic images taken with their digital camera at a self-print machine in the United States, e.g. at a Walmart or CVS pharmacy, are the images and/or metadata from the images stored or uploaded to a company or Kodak server somewhere? What about printing online to store?

Q: In a recent episode, you said you change the name of your travel alias once a year. I assume you stay in hotels frequently and earn reward points. How do you change your travel name without losing your points and upper tier status in the hotel reward program. I’m a platinum plus member with Marriott with nearly 1 million points. I enjoy the perks like Executive lounge access, free high speed Internet, early check in, etc. Do you just forfeit the reward program benefits each year?

Data Removal Workbook:

Please submit your listener questions at

Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 104

The Privacy, Security, & OSINT Show – Episode 103

Posted on December 14th, 2018

EPISODE 103: Intermediate Disinformation, Reputation Management, & Usenet Archives

This week I continue the conversation about disinformation tactics, introduce the idea of future reputation management, and discuss a recent OSINT project collecting Usenet archive data.

Listen to all episodes at

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify



Silent Pocket:


Locked account issues
Taylor Swift’s facial recognition system
Spam messages from email searches


Proactive vs Reactive
Social Networks
Family Trees
Business Listings:
Paste Sites



Q: Have you had success with getting auto insurance for a car titled in a trust?

Q: I will soon be joining the InfraGard and one of their requirement is they will run the background check. Does it mean I will fail their check since I have credit freeze on my account? Should I remove the freeze prior to asking them to run the background check?

Data Removal Workbook:

Please submit your listener questions at

Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 103

Bomb Threat Extortion Emails

Posted on December 14th, 2018

We have been bombarded with email extortion lately. Recently, most of us received an email containing an old password and a threat to expose our internet search history unless we pay a hefty ransom via Bitcoin. We know these are hoaxes. Today, my inbox was full of people asking me about a specific message received at their business. While most of these messages were similar, some had minor wording differences. Here is a redacted example:

Hello.  My man has hidden the explosive device (Tetryl) in the building where your business is conducted. My recruited person built the bomb according to my guide. It can be hidden anywhere because of its small size, it can not damage the structure of the building, but there will be many wounded people if it explodes.

My mercenary is watching the situation around the building. If he sees any unusual behavior or emergency he will blow up the device.

I can withdraw my recruited person if you pay. 20’000 usd is the price for your life. Pay it to me in BTC and I guarantee that I have to call off my recruited person and the bomb will not detonate. But do not try to fool me- my warranty will become valid only after 3 confirms in blockchain network.

It is my BTC address – REDACTED

You have to send money by the end of the working day. If you are late with the payment the bomb will explode.
Nothing personal this is just a business, if you don’t send me the money and the bomb detonates, next time other companies will send me more money, because this isnt a one-time action.
 I will not visit this email account. I monitor my Bitcoin address every 35 min and after receiving the payment I will order my person to leave your district.

If a bomb detonates and the authorities read this email:
We are not terrorists and do not take liability for explosions in other places.

This scam seems to be hitting everything from small businesses to large corporations to government buildings and hospitals. Please spread the word that these are hoaxes, and to always do a bit of research before taking extreme action. I always encourage people to take a small unique sentence from these emails and search it within quotes. It will almost always reveal other sources. In this incident, the wave hit very quickly and online evidence was not present at the peak of the threats. At this time, I am monitoring a handful of BTC addresses, but so far no payments have been made to them (thankfully).

Here are a few articles that hit on “can withdraw my recruited person if you pay”:”can+withdraw+my+recruited+person+if+you+pay”

The “From” email addresses all appear to be either spoofed or hijacked accounts. In this scam, a return email is not necessary, so any address could be used. Unfortunately, I think we will see much more of this.


Filed under Security | Comments Off on Bomb Threat Extortion Emails

The Privacy, Security, & OSINT Show – Episode 102

Posted on December 9th, 2018

EPISODE 102: A Bad Week for Hotels and Their Customers

This week I discuss the Marriott breach, more hotel sextortion, and some Facebook search tips involving locations.

Listen to all episodes at

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify



Pay with Privacy:


Dennis Regan:

Dry Bar Comedy:




Q: I recently discovered I was in a data breach thanks to Name, address and DOB. Email and password and phone number all leaked. All have been changed in regard to email and passwords, But how do you clean up your address and DOB etc when it is leaked. I won’t be moving house and I’m not getting any younger.

Q: I took your advice and purchased an iPod Touch in order to use communications and Sudo from my home without being on a cellular tower. When I went to set it up, Apple demanded a cell number, and I can’t get past that screen. What should I do?

Free Webinar December 14, 2018:

Data Removal Workbook:

Please submit your listener questions at

Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 102

A Few Thoughts on the Marriott Breach

Posted on December 3rd, 2018

You have likely heard about the data breach at Marriott that impacted 500 million people. The best full coverage of this can be read at My inbox was full of questions about this breach, so here are a few thoughts. Note that I will have a detailed summary of the breach and response on this week’s podcast, due out Friday, December 7, 2018.

1) This is not technically a Marriott breach. The breach happened to the Starwood Hotel chain, which Marriott happened to recently purchase. If you stayed at an actual Marriott property, you are not likely affected. If you stayed at a Starwood property over the past four years, such as a Westin, you probably are in this breach.

2) If you are in this breach, the attackers now have your name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. This is quite invasive.

3) Marriott is offering free credit monitoring for one year. I do NOT recommend that you enroll in this. Instead, freeze your credit. (Guide at

4) Change your password for your Starwood Preferred Guest Rewards Program immediately. If you used that password anywhere else, change all references immediately.

5) Watch out for breach-related scams. Email phishing attacks will start to use this incident as bait to get you to click or download things you should not.

6) This is not a Marriott problem, this is a global problem. This does not make Hilton any more secure than Marriott. Every hotel business is vulnerable. This is why I am very selective about providing any personal details to a company. I have always used an alias name at hotels over the past ten years, and paid with either a secondary alias card or a card in an alias name. Some have accused me of being paranoid. I am sure that I am in this breach, but under an alias, with a fake address, a burner telephone number, and a unique form of payment that can be easily closed. I have little concern. Will this change any of your behaviors when companies ask for your name, address, cell, etc?

Please listen to my podcast Friday for many more details and strategies.

Filed under Podcast, Privacy, Security | Comments Off on A Few Thoughts on the Marriott Breach

Updated Data Removal Workbook

Posted on December 2nd, 2018

I have applied several updates to the Hiding From The Internet Free Data Removal Workbook ( It now contains opt-out instructions for 152 invasive websites and a complete tutorial for all six recommended credit freezes. It also now has dates next to each entry for quick updates. I send a huge thanks to everyone in the Forum that passes along their research.

Filed under Privacy, Security | Comments Off on Updated Data Removal Workbook


Recent Posts