As the Internet and the rest of the technological world become more open, cybercriminals are increasingly using OSINT to obtain information about their victims. Since 2013, the number of Google searches for “OSINT” has increased by over 500%, and this trend is not going to slow down anytime soon.
Google searches for 'OSINT' continue to rise in the open technology scene. | Source: Google Trends
Before diving into the specifics of OSINT criminal activity, let's take a step back and go over the basics.
What is OSINT?
OSINT, which stands for Open Source Intelligence, is publicly available data that reveals information about your organization. This information ranges from relatively harmless data like social media accounts to critical vulnerabilities like public S3 buckets and login credentials.
Not all OSINT data collection is malicious. As a company, you can use it to discover vulnerabilities in your company. Individuals also often capitalize on OSINT for activities such as phone number lookups and viewing historical website snapshots.
Hackers, however, use OSINT to perform reconnaissance on their targets. A quick Google search for “OSINT tools” exemplifies the plethora of resources criminals have at their disposal.OSINT structureeven provides a categorized list of hundreds of OSINT tools that anyone can use.
This image shows a tiny representation of the publicly available list of OSINT tools. | Source: OSINT Structure
What information can hackers collect with OSINT?
There is apparentlyinfinite amount of informationthat hackers can collect about your company using various OSINT techniques. The following are the most critical.
phishing targets
It is not efficient for criminals to reach every member of your organization with a phishing scam. Using OSINT, however, they are able to discover and eventually target employees who have administrative access to critical business applications. Here we describe a simple example.
Hackers use LinkedIn's search function to quickly find employees with titles like "System Administrator" or "Server Administrator". From there they go to an email search engine such asHunterto look up the appropriate email addresses. Even if they can't discover the distinct addresses of specific employees, attackers can get close. Many email search engines provide the typical naming convention for each company.
Email search engines make phishing research very easy. | Source: Hunter
The phisher now has the business email addresses of critical employees. By itself, this is not a serious vulnerability. However, the attacker usually has other information as well. Through social media accounts, geolocations, usernames and additional public OSINT records, our hacker can craft an incredibly accurate phishing email, fooling even the most vigilant of employees.
credential leaks
Humans are notoriously bad at password security. according to a2018 reportby LastPass, only 45 percent of companies use two-factor authentication and50% of people don't create separate passwords for personal and work accounts. Once again, let's see how a hacker can take advantage of these statistics using OSINT.
Tech/software companies are the most likely to implement two-factor authentication, with banking/financial businesses a distant second. | Source: LastPass 2018 Global Password Strength Report
Brute-force guessing is a good, albeit time-consuming, strategy for retrieving credentials. However, OSINT devices such asdownload listof exposed passwords, significantly reduces this time. But that list includes more than passwords. It also contains the number of times a given password has appeared in a data breach, effectively presenting a list of the most common passwords.
Again, through social media searches, an attacker can find out which people hold critical positions in your company – positions with access to git repositories, for example.
If only half of all people separate work from personal passwords, it's safe to assume even fewer separate usernames. Sotoan attacker, figuring out git repository usernames is a relatively trivial matter. Additionally, services likeNamechkreveal whether a username is used across platforms, allowing attackers to validate their assumptions.
With a list of verified usernames and common passwords, hackers can perform an ultra-efficient brute force attack.
Exposed Servers, Devices, and Applications
OSINT expands beyond human vulnerabilities. There are also a plethora of tools that reveal networking information about your business. Let's take a look at another type of threat -DNS hack.
A standard DNS hack starts with an attacker locating the nameservers for a target domain. A simple search forDNS Checkerreveals this information.
From there, a hacker can attempt a zone transfer (transfer of data between nameservers). If the server is misconfigured, it will allow the transfer and send crucial details about your business infrastructure, such as your subdomains, to the attacker. With this information, a hacker can exploit vulnerabilities such as unmaintained infrastructure or a server lacking critical security patches.
Tools such asspider foot, help hackers connect the dots between geolocations, IP addresses, domain ownership, registry servers, subnets, and other parts of a company's infrastructure.
SpiderFoot presents the connections between OSINT data in a visual way. | Source: SpiderFoot
But, as we mentioned earlier, hackers are not the only entities using OSINT. Working with his own product, Steve Micallef, the creator of SpiderFoot, managed togather some identifiable informationabout the pesky Elon Musk scammers currently plaguing the cryptocurrency industry.
Public S3 Buckets
Practicing proper Amazon Web Services (AWS) storage procedures is easy enough on paper, but even thebiggest companies failto do this. Hackers often exploit public S3 buckets to obtain user data, credentials, and a host of other sensitive information.
With the growth of OSINT, we've also seen an increase in software that puts efficient S3 bucket mining just a few clicks away. The staff ofGray Hat Warcreated a search engine dedicated to combing through public S3 buckets and exposing vulnerabilities. If you haven't already, it's imperative to research your own business and find out what information you are inadvertently revealing.
You should also routinely check your S3 bucket settings to ensure your privacy and monitor them for any suspicious activity.
How to Secure Your Business Using OSINT
Since many of these OSINT tools are publicly available, you are on equal footing with potential hackers. Run the same checks your attackers would to see what information your company is exposing to the world.
Do not know where to start? Manage your business through ourfree OSINT checkto see what vulnerabilities you might have.