OSINT for SecOps: How to Tap into Open Source Intelligence
The concept of OSINT encompasses myriad sources of data, some of which virtually everyone accesses regularly. But open data repositories offer a wealth of additional potential that’s not widely acknowledged but can be put to use to fight fraud. Let’s explore how you can put open source intelligence to work within your organization
Editor’s Note: This is a guest blog contribution from Gergo Varga, a long-time risk analyst and tech evangelist for SEON. Gergo shares his perspective on how businesses and other organizations can use open source intelligence (OSINT) to their advantage to fight fraud and improve security.
As a term, “OSINT” may not be as recognizable as some other tech-adjacent buzzwords. In fact, we can safely say it’s not a buzzword at all. GMI reports that the open source intelligence market is projected to exceed $20 billion by 2027, which is more than a four-fold increase from the over $5 billion it was worth in 2020. Despite its ever-increasing importance and potential, many are not aware of how helpful and wide-ranging the applications of OSINT can be.
But what is OSINT and how can you put it to use within your organization?
Let’s hash it out.
What Is OSINT? Open Source Intelligence Explained
It would be helpful to define OSINT to start with. According to Maltego, open source intelligence, or OSINT, is “intelligence produced from publicly available information that is collected, analyzed and shared” within the context of helping a specific investigation.
Such an investigation can range from basic personal curiosity to tedious research undertaken by national defense experts — and everything in between. For instance, the examples presented in the SEON guide on OSINT shine a light on its use by various entities, including:
- Law enforcement and governmental services
- Private investigators
- HR professionals
- Fraud analysts
As such, it’s easy to see that OSINT tools and data can be used for good and bad purposes alike.
The history of exploiting open source information goes back further than many would expect. Similarly to how digital and traditional espionage homes in on intercepting secret information, OSINT operations comb through open, publicly available data to find useful information that might have slipped through the cracks, or bits of information that, when analyzed, helps reach important conclusions – in government, business, security and so many more fields.
The use of OSINT by government bodies started with the Foreign Broadcast Monitoring Service in the U.S. in 1941 and the Digest of World Broadcasts by the BBC in 1939. Their aim? To scour through foreign publications and broadcasts in order to identify and gather information useful to the war effort.
OSINT Is About Data Quality, Not Quantity
Any information that is openly available to the public is considered part of OSINT. Some quick examples of these data sources include:
- All news media
- Public online posts
- Databases available upon request
- Publicly searchable web pages (clear web)
- Census data
- Books and journals
Therefore, with OSINT, the question is not one of availability of data. Rather, it’s about using the right methodology that will allow one to extract the right data, clean it up, process and combine it using as few resources as possible. Ideally, this would be done using automation (which we’ll talk about later) so that intelligence experts and fraud analysts can focus on making sense of it rather than doing the manual labor.
Examples of OSINT Tools
OSINT tools both free and paid available today include:
- Google search engine — the quintessential free OSINT tool
- Maltego — data visualization app that helps you expedite investigations
- Spokeo — accurate search engine for U.S. citizen records
- Recon-ng — to gather technical information about website domains
- Academia.edu — for peer-reviewed academic research
- Shodan — search engine for internet-connected devices
- Builtwith — website profiler that includes site relationship data
OSINT in the Service of Fraud and Security (Depending On Who Uses the Data)
A strong case in point for the ongoing and ever-important use of OSINT is found in the anti-fraud sector – as well for how far open data can take us and how much more it has to offer. Because of how most people tend to interact with the internet and online profiles and platforms, there are several data points to be gleaned from simple, readily provided first-party data:
- Email addresses
- Phone numbers
- Dates of birth
- Addresses and location
- Family members, friends, and other associated parties
Relying solely on open source, non-private information, these can deliver ample information about their owners, in almost every case. Even the absence of information is important.
Fraudsters will always take steps to hide their real identity, of course. These include several layers of proxies and onion routing, for instance: Onion over VPN (as explained by ExpressVPN in a guide); synthetic identities, using the information of existing people found in leaks or bought in the dark web; and deploying a variety of other tools that conceal their location, computer infrastructure and intentions. But the very tools they use to hide can still help us catch them, with anti-fraud platforms considering users who have VPNs and proxies activated as more suspicious, for example.
Specifically, OSINT can help identify suspicious users in the following scenarios:
- Onboarding a new user (various verticals)
- Accepting a card not present (CNP) transaction (ecommerce, subscriptions, etc.)
- Accepting a withdrawal (such as online trading, iGaming)
- Underwriting (microfinancing, fintech, banking, etc.)
A Brief Overview of How OSINT Works
Once you’ve specified the information you’re looking to benefit from, the OSINT process is usually as follows:
- Identify one or more data sources that could help your search.
- Harvest the relevant information from the sources. This can be done manually or with the help of data enrichment or other tools.
- The data gathered will enrich your primary dataset.
- Once the research has concluded, the data is ready to be reviewed and analyzed.
How You Can Use Open Source Intelligence Data to Stop Fraudsters
Let’s consider a simple example of how you can use open source data to protect your business’s reputation and customers. Say, a fraudster wants to purchase an expensive item with a stolen credit card, which has already been checked and is live, with funds available. Said criminal sets up a variety of precautions, signs up for a new free email account, and uses that email to create an account at the ecommerce store that you own.
With OSINT, this email address can be used in a Google search as well as queries on some popular social media networks and platforms, which – let’s say – show us that:
- No Twitter profile is linked to this address
- No Facebook profile is linked to this address
- No Instagram profile is linked to this address
- The email has never been listed in any known data breaches
Although it is not definitive proof of anything, both of these results are red flags. Most people are going to be active on at least a couple of social networks. Meanwhile, finding an email address in a data breach shows us that the email address in question has been in use since at least the date of that breach.
From this information, fraud analysts will be aware that this person is likely to be a fraudster. They’ll ideally also look into additional data points, such as IP analysis, behavior, browser and device hash, etc. However, the above information itself is enough to constitute a reason to deploy steps to confirm this person’s identity, like by calling them on the phone or asking them to upload proof of ID.
Although burner phone apps are employed by scammers as well, as ROCCO Strategy explains in an article, these are almost always to set up other types of scams and unlikely to have been set up just for a run-of-the-mill reshipping scheme, of the type we’re explaining here.
Meanwhile, OSINT data isn’t just useful because there’s so much of it; in fact, it also helps simplify the shopper journey and prevent churn, which can occur whenever users can’t complete an action, including with false positives. Since we can use their email address or phone number to look them up each step of the way, we do not need to introduce cumbersome and unpleasant steps such as biometrics, additional factors, or phone confirmation unless said user/action is deemed to be high risk.
How to Automate OSINT to Reveal Users’ True Intentions
We can take things further in terms of data enrichment with an OSINT tool such as Have I Been Pwned?, which finds email addresses in data leaks, or SEON’s reverse email lookup tool. Simply put, this entails starting with a sizeable set of primary data and enriching it by having the software comb through databases and source relevant information, and adding useful new attributes to the primary data. All of this allows us to draw better conclusions without going through the time-consuming task of doing OSINT research manually.
What form does this take? In fraud prevention, it can mean searching the internet for dozens of different data points linked to the email address of a new sign-up, or an ecommerce store or a new neobank account holder. Then, the findings are collated and used in conjunction with other information (e.g., geolocation and behavior analysis and fingerprinting) in order to assign each user a risk profile and rating. From there, this can automatically trigger certain steps, like hard know-your customer (KYC) checks and procedures — as Rainbird explains in a guide — or be examined by a fraud analyst as part of the manual review process.
The resulting process does not disrupt the user experience or shopper journey for your legitimate users. It takes advantage of ever-growing repositories of data and can scale up and out, improving with each version. In the world of fraud detection and prevention, OSINT-powered lookup and data enrichment is a valuable addition to our arsenal for myriad reasons, including how fraudsters do not have the time to create a complete online persona for their fake and synthetic identities. The more carefully we look into these identities using OSINT, the easier it is to see they don’t represent a real person.
Final Thoughts on Why OSINT Works for Greater Security and Fraud Prevention
Part of the reason using social and online signals to assess shoppers’ intentions is so effective is that fraudsters are not as well prepared to surpass this security hurdle as other obstacles. They might use a mobile proxy to circumvent IP analysis modules and geolocation bans. They also hide behind other tools to avoid getting caught.
The process of creating a completely convincing online persona that would fool OSINT data enrichment is often:
- Too difficult for fraudsters to automate, and
- Too time consuming to give them a return on their investment.
Data is wealth, and OSINT sources are getting richer and richer as more processes around the world become digitized. This is true even in developing countries as the economy becomes more global. It’s in our hands to devise and utilize the methods that can make the best use of this OSINT data. After all, this information is out there and it’s openly available to everyone.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown