Every action we take online leaves a digital footprint. This is also true for businesses, which may not be aware of the information that is publicly available online about them or the digital footprints that their employees leave. This provides an opportunity for fraudsters to engage in fraudulent activities, as the information is easily accessible on the internet.
Fraudsters also use the OSINT technique without resorting to illegal hacking or other invasive techniques. When combined, this information can form a thorough picture of a person or group, assisting in various fraudulent schemes.
One notable real-life case involving a fraudster using OSINT to commit fraud is the case of "Hushpuppi," whose real name is Ramon Olorunwa Abbas. Hushpuppi was known for flaunting his extravagant lifestyle on social media, particularly on Instagram. However, behind this facade of wealth, he was involved in extensive cybercrime activities. Hushpuppi and his associates used OSINT techniques to gather information about potential targets. This included mining social media platforms, company websites, and other publicly available sources to identify high-value targets. They created spear-phishing emails and spoofed emails to trick employees of target companies into revealing sensitive information or transferring large sums of money.
In June 2020, Hushpuppi was arrested by the Dubai Police in a coordinated operation with the FBI. The raid, dubbed "Fox Hunt 2," led to the seizure of more than $40 million in cash, 13 luxury cars worth $6.8 million, and phone and computer evidence containing 119,580 fraud files and the addresses of nearly two million victims.
Types of Information Targeted by Fraudsters
Fraudsters seek a variety of information through OSINT, including but not limited to:
1. Personal Identifiable Information (PII): Names, addresses, phone numbers, email addresses, dates of birth, and social security numbers.
2. Financial Information: Bank details, credit card numbers, financial transactions, and tax records.
3. Employment Information: Job titles, work history, salaries, and employer details.
4. Social Connections: Friends, family members, colleagues, and business associates.
5. Behavioral Data: Interests, hobbies, frequent locations, and online activities.
By aggregating this information, fraudsters can craft highly targeted and convincing attacks.
Methods Fraudsters Use OSINT to Commit Fraud
Following are the common methods used by fraudsters based on the OSINT they have:
1. Social Engineering Attacks
Social engineering involves manipulating individuals into divulging confidential information. OSINT provides the necessary details to make these manipulations more convincing. For example:
- Phishing: Fraudsters use gathered information to craft personalized emails that appear legitimate,tricking individuals into clicking malicious links or providing sensitive information.
- Vishing and Smishing: Similar to phishing, but conducted via phone calls (vishing) or SMS messages (smishing). Detailed personal data enhances the credibility of these scams.
- Pretexting: Creating a fabricated scenario to steal information, such as posing as a bank representative or government official.
2. Business Email Compromise (BEC)
BEC is a type of scam where fraudsters gain access to a business email account or impersonate an executive to trick employees into transferring money or sensitive data. OSINT is used to:
- Identify high-ranking officials within a company.
- Gather information about their communication styles and typical activities.
- Craft convincing emails that appear to come from these executives.
3. Identity Theft
Fraudsters use OSINT to steal identities by collecting personal information such as social security numbers, addresses, and birth dates. This information is then used to:
- Open new bank accounts and credit cards.
- Apply for loans.
- File fraudulent tax returns to claim refunds.
- Conduct unauthorized transactions.
4. Credential Stuffing and Account Takeovers
Many people reuse passwords across multiple sites. Fraudsters use OSINT to find usernames and email addresses, then employ automated tools to try these credentials on various platforms. If successful, they gain unauthorized access to accounts, which can lead to:
· Financial theft.
· Stealing sensitive information.
· Gaining access to other linked accounts.
5. Reconnaissance for Larger Attacks
OSINT is often the first step in more sophisticated cyber-attacks. Fraudsters use it for reconnaissance to:
· Map out an organization’s structure and identify key systems.
· Find vulnerabilities in networks and software.
· Plan more elaborate attacks, such as ransomware or data breaches.
Case Studies and Examples
1. Social Media Exploitation
A fraudster collects information from an individual's LinkedIn profile, including their job title, employer, and work email. They then send a phishing email that appears to be from the company's IT department, asking the individual to update their login details. Once the fraudster has these details, they can access the company’s network.
2. Public Record Misuse
By searching public records, a fraudster finds a property owner’s details, including their mortgage information. They then contact the individual, posing as a mortgage lender, and trick them into providing additional personal and financial information, leading to identity theft.
3. Corporate Espionage
A competitor uses OSINT to gather detailed information about a rival company’s new product launch. By piecing together data from press releases, employee social media posts, and public forums, they gain insights into the product features and release date, allowing them to preemptively counter the launch.
Preventive Measures
There are several preventative steps that can be used to reduce the likelihood of fraud:
1. Awareness and Training
Educating individuals and organizations about the risks of OSINT and how their publicly available information can be exploited is crucial. Regular training on recognizing social engineering tactics and safeguarding personal data is essential.
2. Privacy Settings and Information Minimization
Encouraging the use of stringent privacy settings on social media and other platforms can reduce the amount of accessible information. Additionally, individuals should be cautious about the amount and type of information they share publicly.
3. Regular Audits and Monitoring
Organizations should conduct regular audits of their digital footprint to identify and mitigate potential risks. Monitoring for unauthorized access or unusual activities can help detect fraud attempts early.
4. Multi-Factor Authentication (MFA)
Implementing MFA adds an additional layer of security, making it harder for fraudsters to gain access to accounts even if they have obtained login credentials.
5. Use of Anti-Phishing Tools
Employing anti-phishing tools and services can help detect and block phishing attempts, protecting users from fraudsters who use OSINT to craft convincing phishing emails.
Post a Comment
0Comments