We were asked to help make a TV show about the information that people share online being abused by scammers. The point was to demonstrate how easy it is for skilled individuals who know where to look to find it. Much of it can be obtained in seconds starting using minimal data.
We were tasked with helping Alexis emulate mind reading tricks. We were holed up inside the café while he was outside doing the 'mind reading'. Using microphones and earpieces information was relayed between us. We used Open-Source Intelligence (OSINT) to provide almost instant responses to Alexis, creating the illusion that the targets' thoughts were open to him.
Sometimes you don’t even need this level of complexity as people often provide their full name and email (and other details) when booking tickets for example. This could give scammers a head start, allowing them to gather information days or weeks in advance. Did you read those terms and conditions carefully? Where and how is your data going to be used and to what purpose?
It looks like similar techniques were used on Sir Grayson Perry’s stage show, where information was used to identify members of the audience and query details from their social media accounts live on stage. Often this would detail anything from hobbies to political preferences.
The ruse was to attract members of the public with street magic demonstrations and mind reading. Everyone participating was asked to sign a release form, this was actually a signed authorisation to perform OSINT on the individual for the purposes of the show, AND to appear on TV.
The opportunity to appear on TV is either appealing, a curiosity, or a complete no no.
These are common con techniques and used by social engineers. The form asked for three things: Full name, email address, and date of birth. Some did read the small print and declined, which was expected.
_Top tip #1:
__If __you are ever asked to provide any personal information always read the small print, ask questions, and do not commit to anything you are not 100% sure of or happy with. _
Trust is subjective, and it should not always be about trusting the person in front of you, but also trust in the goods, services, or actions they want you to take. What do they want, why do they want it, and what will they use it for?
The recording took place last summer in a café in Willesden Green, which had an outside seating area, and we were sat inside. It meant that we could see the target and hear what was being said from microphones carried by Alexis. From the moment the release form was signed we began our searching.
Any OSINT professional will tell you that Google is your friend. Using search engines and other tools we were able to confirm the identity and possible email addresses of most of our targets.
The other tools we used included, the fraud prevention tool SEON, the marketing tool RocketReach, EPIEOS, LinkedIn, 192.com, and the popular social media sites like Facebook, X/Twitter, Instagram.
With three of us on the task we were able to split the searches and share findings immediately with one another and relay this back via an earpiece in Alexis’ ear. It is fair to say OSINT usually takes time to validate and correlate the information into intelligence and, as a result, there were several failed attempts with either incorrect information or from people who had properly secured their accounts and had a limited exposed online presence.
_Top tip #2:
_P__roperly securing your online profiles and using privacy options is our next tip. This makes information gathering very hard.
In one case a visitor from Japan was one of the targets and without any applicable language skills on our team the searches were not going to easily happen in real time. Targets who were UK based, had been in one area for a while, or were quite open in their approach to social media were easier to find.
This is the under reported aspect of OSINT that many do not realise. Just because you have a social media profile and use the internet does not mean an attacker can find the information in seconds, the movies and shows like this make it look trivial, but in many cases OSINT can take time. Correlation is a key tenet of our client investigations, it would be a terrible thing to suggest an executive could be exposed to blackmail for something that is unrelated to them simply because they have the same name and date of birth as another person on the internet.
Because we had the targets email address, we could do some online searches in areas where data about past breaches can be found. In some parts of the internet, access to past breach data is available, these have usually been leaked from dark web sources, sometimes this is available for free, sometimes behind a small subscription, however, it is not always accurate and current.
Some easily accessible breaches are over a decade old and hold passwords which are no longer in use, were invalid at time of capture, or have been incorrectly cross referenced to accounts that the users have no knowledge of. That does not mean it is not right sometimes, if the targets have not changed a password in a while, they can still be valid. As the show proved we found a valid (complex) password for a target who had not changed that password recently AND had reused it across multiple accounts.
_Top tip #3:
Use Have I been Pwned to find breaches where your data may have been compromised, and where you may need to change your password and enable multi-factor authentication. _
We really enjoyed working with Alexis. He has been a speaker on the infosec circuit and was one of the keynotes at the inaugural 44CON London security event in 2011. He has always been on the side of the consumer and promoting awareness about cons, scams, and common techniques used by hackers and conmen.
While the pressure of doing OSINT in real time was fun, it was hugely limited compared to our Executive Exposure Assessment service. The information found was great for TV, but did not provide as detailed a picture of the exposure an individual faces when in the cross hairs of a skilled OSINT investigator or an attacker.
The post OSINT in 60 seconds. Mind reading on TV first appeared on Pen Test Partners.