OSINT in 60 seconds. Mind reading on TV

TL;DR

• We were asked to help with a Channel 5 consumer education series about online banking scams
• The presenter, Alexis Conran, was to ‘read’ the minds of members of the public walking past a coffee shop
• A release form was signed by the targets, with their name, email, and phone number, then passed surreptitiously to us
• We were given as little as 90 seconds to gather open-source data and pass it to Alexis over an earpiece as he ‘read their minds’
• Despite that significant challenge it was surprisingly successful. This post is about how we did it
• Finally, not shown in the piece, we spent time helping the targets understand how we found the data and showing them how to secure their online presence

Bank scams and how to avoid them, with Alexis Conran

We were asked to help make a TV show about the information that people share online being abused by scammers. The point was to demonstrate how easy it is for skilled individuals who know where to look to find it. Much of it can be obtained in seconds starting using minimal data.

Mind reading tricks

We were tasked with helping Alexis emulate mind reading tricks. We were holed up inside the café while he was outside doing the ‘mind reading’. Using microphones and earpieces information was relayed between us. We used Open-Source Intelligence (OSINT) to provide almost instant responses to Alexis, creating the illusion that the targets’ thoughts were open to him.

Sometimes you don’t even need this level of complexity as people often provide their full name and email (and other details) when booking tickets for example. This could give scammers a head start, allowing them to gather information days or weeks in advance. Did you read those terms and conditions carefully? Where and how is your data going to be used and to what purpose?

It looks like similar techniques were used on Sir Grayson Perry’s stage show, where information was used to identify members of the audience and query details from their social media accounts live on stage. Often this would detail anything from hobbies to political preferences.

Street magic

The ruse was to attract members of the public with street magic demonstrations and mind reading. Everyone participating was asked to sign a release form, this was actually a signed authorisation to perform OSINT on the individual for the purposes of the show, AND to appear on TV.

The opportunity to appear on TV is either appealing, a curiosity, or a complete no no.

These are common con techniques and used by social engineers. The form asked for three things: Full name, email address, and date of birth. Some did read the small print and declined, which was expected.

Top tip #1:
If you are ever asked to provide any personal information always read the small print, ask questions, and do not commit to anything you are not 100% sure of or happy with.

Trust is subjective, and it should not always be about trusting the person in front of you, but also trust in the goods, services, or actions they want you to take. What do they want, why do they want it, and what will they use it for?

Google is the scammers friend

The recording took place last summer in a café in Willesden Green, which had an outside seating area, and we were sat inside. It meant that we could see the target and hear what was being said from microphones carried by Alexis. From the moment the release form was signed we began our searching.

Any OSINT professional will tell you that Google is your friend. Using search engines and other tools we were able to confirm the identity and possible email addresses of most of our targets.

The other tools we used included, the fraud prevention tool SEON, the marketing tool RocketReach, EPIEOS, LinkedIn, 192.com, and the popular social media sites like Facebook, X/Twitter, Instagram.

With three of us on the task we were able to split the searches and share findings immediately with one another and relay this back via an earpiece in Alexis’ ear.  It is fair to say OSINT usually takes time to validate and correlate the information into intelligence and, as a result, there were several failed attempts with either incorrect information or from people who had properly secured their accounts and had a limited exposed online presence.

Top tip #2:
Properly securing your online profiles and using privacy options is our next tip. This makes information gathering very hard.

In one case a visitor from Japan was one of the targets and without any applicable language skills on our team the searches were not going to easily happen in real time. Targets who were UK based, had been in one area for a while, or were quite open in their approach to social media were easier to find.

This is the under reported aspect of OSINT that many do not realise. Just because you have a social media profile and use the internet does not mean an attacker can find the information in seconds, the movies and shows like this make it look trivial, but in many cases OSINT can take time. Correlation is a key tenet of our client investigations, it would be a terrible thing to suggest an executive could be exposed to blackmail for something that is unrelated to them simply because they have the same name and date of birth as another person on the internet.

The big scary Dark Web

Because we had the targets email address, we could do some online searches in areas where data about past breaches can be found. In some parts of the internet, access to past breach data is available, these have usually been leaked from dark web sources, sometimes this is available for free, sometimes behind a small subscription, however, it is not always accurate and current.

Some easily accessible breaches are over a decade old and hold passwords which are no longer in use, were invalid at time of capture, or have been incorrectly cross referenced to accounts that the users have no knowledge of. That does not mean it is not right sometimes, if the targets have not changed a password in a while, they can still be valid. As the show proved we found a valid (complex) password for a target who had not changed that password recently AND had reused it across multiple accounts.

Top tip #3:
Use Have I been Pwned to find breaches where your data may have been compromised, and where you may need to change your password and enable multi-factor authentication.

A grand day out

We really enjoyed working with Alexis. He has been a speaker on the infosec circuit and was one of the keynotes at the inaugural 44CON London security event in 2011. He has always been on the side of the consumer and promoting awareness about cons, scams, and common techniques used by hackers and conmen.

While the pressure of doing OSINT in real time was fun, it was hugely limited compared to our Executive Exposure Assessment service. The information found was great for TV, but did not provide as detailed a picture of the exposure an individual faces when in the cross hairs of a skilled OSINT investigator or an attacker.