What Do Observational Skills Encompass?

The following scenarios give you some examples of how observational skills can be used in the real world.

What Can You Do to Teach Yourself These Skills?

This topic is hard to cover in a short section in a book. Each person has natural ability as well as learned ability that can make learning these skills really easy or very difficult. Because I don't know you personally, all I can do here is tell you what I did to try and enhance my skills.

I would play a game that was along the lines of Capture the Flag. If I was entering a building—let's say a doctor's office—I would say to myself, “The flags are to remember the first two people I see, what color shirts they are wearing, and what magazine they are reading or what they are doing.”

I would set some boundaries like these:

• They can't be the service-related folks behind the counter.
• I had to still go about my task of checking in and couldn't pause or deviate from that.
• I couldn't write anything down.

Then I would enter the building, observe what I saw, and try my hardest to remember it until I left the building. It would go something like this:

• Older woman sitting to left in blue shirt reading Woman's Day magazine
• Young child, male, striped T-shirt, playing with blocks on the floor

I would make a note of each of these things in my mind and try my hardest to remember them. I used little memory tricks, such as saying something to myself a couple times to try and embed it in my mind.

When I felt that I could make mental notes like this without having to think too hard, I would add some layers of complexity. Eventually, my flags list looked like this:

• Gender of X number of people
• What they were wearing
• What activities the people were engaged in when I first sighted them
• Perceived communication profile (more on this in Chapter 3, “Profiling People Through Communication”)
• Body-language tells

From this, I would try to build a story in my head of why they were at the location I was at, and use the details in the story to remember them.

Honestly, this worked so well—even with my bad memory—that I can remember one office I walked into three or four years ago where I saw two women in black skirts and white button-up tops reading something on an iPad. The woman on the left did not seem to like the woman on the right, but she tolerated her, or she had somewhere else to be. I could discern these things because the woman's hips were fully bladed away from the woman on the right.

There was a man behind a counter with a security suit on—black suit, white shirt, black tie. He had a gold watch on his right wrist, which indicated he was left-handed. His hair was neat, and he had a well-trimmed beard. He was writing on a notepad with a pen. He was observant of me as well as the lobby.

There was a young man waiting in chairs in front of the counter. He was looking at a newspaper, but it appeared to me that he was faking reading. He was staring into space, and the edges of the paper were shaking. I fabricated a story that he was there for an interview and was nervous but was trying to look calm and distract himself with a paper.

It is almost as if I can see that lobby now in my mind. These little observations go a long way toward helping you achieve your goals as a social engineer. My suggestion is to look for your own weaknesses, and then start small and build up. It is important to really get the point that you must practice. Too often, I see people wanting to achieve something 100% right away, but it takes time.

Failure can teach us way more than success if we let it—which is why I need to talk about expectations.

What Should You Expect to Reap?

In the book Unmasking the Social Engineer, which I coauthored with Dr. Paul Ekman, I focused solely on nonverbal cues: body language and facial expressions. When I started learning how to first notice and then decipher these expressions, I felt like some kind of mind-reading superhero. I could look at a face and see emotions that the person was trying to hide, and then I blended that with body language and other actions to almost predetermine how they would react to questions or situations. The crazy part is that I found that my predictions were right more than 50% of the time. Therein began the problem. Let's say I was right 75% of the time. That means I was wrong 25%. In addition to that, it affected my perceived ability, and I felt that I could see more, understand more, and therefore SE more than I really could.

One of my most humbling lessons came from working with Dr. Ekman, who has corrected me time and time again. He said, “Chris, just because you can see the what doesn't mean you know the why.”

Before I discuss expectations, I feel it's important for you to hear this repeatedly: Just because you can see the what doesn't mean that you automatically know the why. How can you make that connection between the what and the why? There are a few ways: questions, more information, and longer observation.

Here's an example: I was teaching a class, and I was talking about a social engineering story from my experience. One student suddenly got an angry look on his face. His body language shifted from being open to closed. With arms folded, he leaned back in his chair and his legs jutted out. I perceived that he was not believing what I was saying, and I began to give him more personal attention. Doing so did not seem to fix his lack of belief, and he drew back. After a few minutes, he excused himself and left the class.

I was dumbfounded. I did everything right. Why was he still mad at me?

Shortly after that, we took a break. I was walking toward the restroom, thinking about this and how I could “fix” it. The student approached me and said, “Hey, I'm really sorry I left. My boss texted me in the middle of class and said we have an emergency at work. I tried to tell him I couldn't do anything because I was in class, but he ordered me to leave and be on this ridiculous conference call. Can I make up the lesson I missed?”

I literally started laughing, which I had to explain quickly, but I told him how I misinterpreted all that I saw. I could hear Dr. Ekman in my head: “Chris, what have I told you before?” It was a great lesson for me in causality.

The same is true about OSINT and observation. Don't assume that the things I am about to show you are all the results of the “stupidity of humans.” I prefer to think that people simply are uneducated to the potential dangers rather than being blatantly stupid.

Take a quick look at the picture in Figure 2-2, and make a mental note of what you observe.

Thinking like a social engineer, what do you see in this picture that could help you profile the driver of this car? Figure 2-3 is a zoomed-in version that might help.

The right side has a breast cancer support sticker. The left contains a Kids Wish Network Support sticker. Then there is a sticker that says “10-20-Life.” I had no clue what this was for, so I did a quick Internet search and found that it is a sticker supporting stricter sentences for those who commit crimes using firearms.

What do these stickers tell you about this person? That they support charities and which ones are important to them. Could this be because they or a family member suffered from cancer or childhood sickness? Also, they feel strongly about gun laws and gun crimes. Could this be because they were a victim or know a victim of gun crimes?

Armed with these pieces of information, do you think could strike up an elicitation conversation?

Be careful! Too many times I have students who will blurt out, “We will discuss gun laws and why they are wrong,” or something to that effect. But think about how hard it would be to convert you from one belief to another during a conversation. This person will be no different. Blend that with your goal—to have the target not thinking—and remember that you want to converse about their interests, not yours. I explain more about this in Chapter 7, “I Didn't Even Ask You for That,” when I discuss elicitation.

Now take a look at Figure 2-4.

What do you notice here? What could you observe as a social engineer? Think of the slight details in this one simple picture:

• You can see the type of work environment.
• You can see the operating system the person uses.
• You can notice what type of tablet the person has.
• You can see the person is a fan of a certain sitcom.
• Can you notice the browser they use and mail client, too?
• Do you notice a sign that might indicate some other details about the person?
• What other details can you pick out?

This is just a cursory list; there may be much more that you picked out. Based on this, could you develop enough of a profile to work up one or two phishing emails that would trigger an emotional response?

Sometimes, however, a picture or even an in-person interaction is not enough. This is where technical OSINT can bridge that gap.

Social Media

No chapter on OSINT would be complete without at least a cursory mention of the topic of social media. What is odd is that I can remember a time when reading your sister's diary would have resulted in multiple beatings. Now, personal diaries are not only online, but it's an insult if you don't read them, comment on them, and like them.

Social media is basically part of our everyday existence, and it is here to stay.

Here are some statistics that will put this into order for us, according to We Are Social (https://wearesocial.com/special-reports/digital-in-2017-global-overview). As of January 2017:

• The world population was 7.476 billion.
• Internet users totaled 3.773 billion.
• There were 2.789 billion active social media users.
• There were 4.917 billion unique mobile users.
• There were 2.549 billion active mobile social media users.

This is important for you, as a social engineer, to understand. Let's consider some of the top social media platforms:

• LinkedIn With over 106 million users, LinkedIn tells a person the following things:
  • Your job history
  • Where you got your education
  • Where you went to high school
  • Clubs and academic achievements you're involved in
  • People who endorse your skills
• Facebook With its more than 1.8 billion users, Facebook tells a person the following things:
  • Your favorite music
  • Your favorite movies
  • Clubs you belong to
  • Your friends
  • Your family
  • Vacations you've taken
  • Your favorite foods
  • Places you've lived
  • Much, much more
• Twitter With its 317 million users, Twitter tells a person the following things:
  • What you are doing right now
  • Your eating habits
  • Your geolocation
  • Your emotional state (within 280 characters)

I could go on, but you get the idea. Just those three social media applications provide a ton of information for you to discover about your targets. I dare say you can build a pretty comprehensive profile on your target from this.

Evaluating a person based on social media should not be confused with developing an actual psychological profile. As the Fun Fact mentions, there are people who communicate one way online and another in person. Even though that is true, social media is still valuable for a social engineer because many attacks occur based on the “online” personality and learning how to communicate with that aspect of the target can lead to a breach.

With hundreds of social media platforms and billions of people using them, social media is a treasure trove of data for social engineers. One of the best ways to rip information from social media platforms is by using search engines, which is the topic of the next section.

Search Engines

The Internet is constantly changing, including new and improved ways of finding information in its yottabytes of cached data. Those constant changes can be a strength for most people, but they can also become a weakness for social engineers because a search engine that works today may not work tomorrow.

I remember when Spokeo first came out. I used it almost daily. It was an amazing source of great information. As its popularity grew, so did the number of ads. Then came the request to pay for information, and then information that was not as reliable seemed to pop up all too often.

Now, I'm not saying that Spokeo has nothing useful, but as a professional social engineer, my time is money. And if I must use another source to verify every fact I get, it can cost me a job.

In my first book, and many subsequent books after, I have found that including lists of tools is kind of useless to the reader. A few things often occur:

• The day the book is released, the tools are outdated and the ideas I gave the readers are old.
• New and better tools come along.
• A combination of the first two things.

Instead of giving you a list of websites and tools, I want to walk you through performing OSINT on a target. Yes, I will mention websites and tools that I use, but the focus will be more on how to think through this aspect of being a social engineer.

Our target is my good friend Nick Furneaux (let's hope he stays my good friend after this book comes out). It should be noted: there is no ill will toward Nick. I'm merely using him to show that even for a very aware, very alert, and very security-conscious person, the Internet holds secrets for those who know how to ask.

d0xing the Furneaux

So, what does it mean to d0x someone? The word d0x is a hacker term that means to work up a document on a target containing details about the target's personal life. Those details are often used to further attack the target, humiliate them, or perpetrate other crimes.

None of those are the goals here. I'm just showing you the power of OSINT and how it can be used. Often, I start at the doors of pipl.com.

Pipl (pronounced people) is a site I describe as what would happen if the White Pages and social media scraped sites and had a baby. What is great about this site is that you can search for a name, a user name, a nickname, or other details you may have about your target.

Just looking at the web quickly tells us that Nick's Twitter account is nickfx. Let's see what we can find by using pipl.com with that nickname. Take a look at Figure 2-5.

With just a quick glance, we can see the first picture brought up the right “Nick,” and only four lines down, we see Nick Furneaux associated with Chris H (I wonder who that is) and a whole new user name.

Before we get to that, let's see what happens when I click the picture that we know to be Nick. The result is shown in Figure 2-6.

With one simple click, we can see confirmation that we have the right guy as well as his location. OSINT! We know where he lives.

Now, back up one page in the results, and click that fourth link down. What does that reveal? Take a look at Figure 2-7.

We have some great OSINT here, don't we? A Facebook page and a hobby we didn't previously know that Nick had. He is a snowboarder. And he must really like that Chris H character; he seems to be everywhere.

When I click the Facebook link, I'm greeted with even more OSINT!

• He lives in Bristol, UK.
• I can see a list of friends.
• I've found a new username: nick.furneaux.1.

When I head back to pipl.com and enter just his name and his known location of Bristol, England, I get even more details about him:

• Previous employment
• LinkedIn profile
• Yet another username
• Where he went to school

With a handful of clicks, I have a decent amount of information on Nick that would definitely be useful in developing a profile on him. Can I get more information?

Next, I jump over to a site called webmii.com. The whole goal of WebMii is to help you see people's online visibility. Running a search there for “Nick Furneaux” returns the results you see in Figure 2-8.

Right away, I notice a few things: Nick's visibility score is 4.22 (which isn't that high because it's out of 10). But clicking on that shows us when in time he was most visible (see Figure 2-9). As an OSINTer, the times when Nick was most popular would pique my interest—I want to find out what was going on in his life at those times.

Going back to the image shown in Figure 2-8, there are some other pieces of data to be gleaned:

• The first image links to Twitter.
• The third image links to a podcast where Nick was interviewed. It is The Social-Engineer Podcast, and I hear it is really amazing (another shameless plug).
• Many of the other images link to Canadian LinkedIn pages that don't pertain to the Nick Furneaux we're interested in.
• The fifth image is weird: a young man in some kind of animal onesie. What is that?

Clicking that fifth link takes me to a music video made by a company called AFB Productions. When I click the More button, I see what's shown in Figure 2-10.

The video appears to have been made by a chap named Toby Furneaux (same last name!), and the driver in the video is none other than Nick Furneaux. Of course, this discovery opens another rabbit hole of digging into who this Toby is and what AFB is all about. It doesn't take long (just two or three clicks) to realize that Toby is Nick's son, and he runs a small production company called Any Future Box (AFB for short).

A good OSINTer would include all of this detail in their info because family members (especially a target's children) are often great resources for attack vectors.

Refer to Figure 2-8 again. That picture of Nick has been in a few places that I stumbled upon. This picture might lead to more resources, so I grab the actual URL of that picture and load it into a reverse image search, which you can do by following these steps:

1. Right-click on the image.
2. Click View the Image.
3. Right-click again, and then click Copy Image Location.
4. Go to www.google.com and click Images.
5. Click Paste Image by URL, and paste in the URL of the image that you copied in step 3.

You should see a page that looks like Figure 2-11.

In addition to seeing that he uses this same headshot a lot, I uncovered that Nick has a Blogspot page and wrote on a forensics page too. When I follow the link for the forensics page, I find an interview of Nick from a few years ago, and that interview ends with his email and his website URL.

When I do a quick WHOIS lookup of Nick's website domain name, it reveals what you see in Figure 2-12.

Nick has had this website for a long time, and it's not expiring any time soon. Interestingly (and intelligently), Nick has his domain privatized. That means there is no info on the record; just his company name, which we already know, and that he is an individual in the UK.

The type of information-gathering I just walked you through is very common in the world of a social engineer. Think about why this is so. With very few clicks, I was able to uncover quite a bit of useful information on a target.

Granted, I didn't find a link to all of Nick's passwords or his private photos (thank God for that), but I did find enough information to really help if I wanted to attack Nick with a phishing or vishing attack.

Is that it, though? Absolutely not. Entering the ring is the heavy-weight champion of the world when it comes to OSINT.

Enter the Google

Google. The word alone should make a social engineer giggle with happiness. Okay, okay—that mental picture is pretty disturbing. So maybe put the idea of giggling aside and think of it more like a silent smirk of knowledge-filled happiness.

Why? Google is like an all-knowing oracle. She knows all the things you ever did, stores them, and even caches them if you try to delete them (you know, for safekeeping).

With all this power, and trillions of indexed web pages, how can one little ol' social engineer find the tiny bits of data he or she needs? Before I can answer that, I need to give you a quick explanation of how Google (or any search engine, really) works.

Search Engine Mysteries Revealed!

There really is no mystery revealed in this section. The title is misleading. You probably already understand how search engines work, but on the off chance that you don't, here is a very quick and easy explanation of it.

Search engines use little pieces of code called spiders. Spiders “crawl” (I don't make this stuff up) through every web page on the open web and cache what they are allowed to access. There are certain files, like robots.txt, that stop a spider from indexing certain areas, but most other areas are indexed and cached.

That cache is put into a database, which, when you enter a search term in the search box, provides results like you see in Figure 2-13.

Let me point out a few key things in Figure 2-13. First, the search returned 105,000 results in .59 seconds. How can it search 30 trillion web pages in .59 seconds? Remember, these pages have been cached in a database, which allows for blazing-fast speeds in searching.

Scraping 105,000 web pages would be not only improbable but, most likely, impossible. So, let me tell you about operators.

Limiting for the Win

When I interrupted my search for info about Nick Furneaux earlier in this chapter, I was on my way to creating a nice little profile about him. Can Google either reconfirm my findings or give even more information?

I had found some information like his name and a nickname he uses on at least one social media outlet. What if I search for those two together to see what could be found? Typing intext:"Nick Furneaux" intext:nickfx into the Google search box will result in what's shown in Figure 2-14.

In less than one second, I have a solid 206 results on the target. One of the features of searching on Google is being able to see images related to your search. Clicking the More Images For link can show you some interesting results. In this case, the images can take me to pages that talk about Nick.

But I already know a lot of this information about Nick, so let's see what else I can find. I change the search term to intext:"Nick Furneaux" intext:UK. The results are shown in Figure 2-15.

The first result tells me he is training in a town called Bristol. The last result provides the name of a company that Nick might still be a part as well as his full date of birth and even an address in—you guessed it—Bristol.

The page also includes a list of family or friends that he might be working with at that company. It's a treasure trove of information.

Changing the “UK” in the previous search to “Bristol” will lead us to information such as his postal code and even some names of other family members that might be living with him.

Here's one last example before I move on. What do you think would be the first result if you performed the following Google search?

intext:"Nick Furneaux" site:linkedin.com intext:Bristol

The first result I got when I did this search was Nick's LinkedIn page. Using the Google operators, you can add little bits of information you get from your previous searches to keep homing in until you find the exact piece you need.

I want to show you more about the power of Google, but since Nick is still my friend (or at least he was the last time I checked), I'm going to move the focus away from him and on to general searches.

But It Says “Private” Right in the Title

Have you heard of RSA private keys? An RSA key is a key that is based on a proprietary algorithm. It comes in two parts: the public key, which helps identify it, and the private key, which unlocks the kingdom.

According to this definition, RSA private keys are used to establish a secure connection.

So, you would think that if you searched for RSA private keys, you would find none, right? But using the following search

BEGIN (CERTIFICATE|DSA|RSA) filetype:key

gives you more than 3,000 results, as shown in Figure 2-16.

But It's Marked Confidential

Often, government entities mark documents with certain classifications to indicate whether the general public should see them. Markings like “CLASSIFIED” and “TOP SECRET” usually indicate that the documents aren't for general consumption. You would assume that you can't find any of those online. (You know what they say about people who assume …)

But since I like living life outside prison walls, let's say we just want to see if there are any documents with passwords, which should be confidential, right?

What if I searched for site:gov.ir intext:password filetype:xls? This should limit my search to any gov.ir domain and look for only XLS files with the word password in them. The results are shown in Figure 2-17.

Hmm, that doesn't seem right. Why would a document in an Iraqi government server have the English word password in it? Ah, but what if I use the translate.google.com site to translate the word password into Persian? Does it help? Figure 2-18 shows the result.

The power of Google is truly shown here. I didn't need to know Persian or even search in Persian. I just had to tell it to look for that word, and I was able to find documents.

Webcams: It's Time to Stop Dancing in Your Underwear

There was a boom in the desire for people to have webcams hooked up in their homes. People used them for monitoring their children, babysitters, and pets; for security; and more.

Many of these cameras were sold with default settings that left them vulnerable and wide open. Sometimes the software sold with the cameras also left a lot to be desired. Easy for the user? Yes. But also easy for attackers.

One such software was webcamXP. As indicated by its name, it was made to run on Windows XP, Vista, 7, 8, 9, 10, Server 2003, 2008, and 2012. According to its website, the software's last update was in 2016. With that in mind it should not be too popular today, so you would imagine that searching for these now would not give you too much, right?

Right?!

So, I searched for intitle:"Webcam 7" inurl:8080 -intext:8080, and Figure 2-19 shows the result.

Granted, many of these webcams are intended to be online and are meant for the public to see. They're streaming traffic scenes or waterfronts and other areas. But there are people who set up webcams for personal use and leave them open in their yards or homes. The point is that if these webcams are not properly secured, any person with a little skill may be watching you, and you won’t even know.

Other Sources of Intel

Usually when I get to this point, people react with a mixture of horror and curiosity about what else you can turn up with a Google search. I don't want to list every Google search I have done, but I can tell you some of the things that I have easily uncovered using only Google searches:

• A webcam of some guy watching his marijuana plants grow
• People's private photos from their phones
• People's shared music and movie directories
• Documents containing full passwords, dates of birth, and Social Security numbers
• Thousands of credit card numbers in files
• Fully open SQL databases loaded with info
• Open access to traffic cams
• Open access to power grids and control systems
• A number of child pornography drop spots

The list can go on and on.

Robots Are Cool

When I was a kid, I wanted a robot so bad. I thought R2D2 would be my best friend if I could get one. In this case, I'm not talking about that type of robots. I'm referring to robots.txt files.

What is a robots.txt file? It's a file that website owners use to tell the spiders or robots that crawl and scrape the sites what is and isn't allowable. For example, it's not uncommon to see Disallow statements in a robots.txt file, which indicates that robots aren't allowed to cache that folder. For example, Figure 2-20 is the robots.txt file for whitehouse.gov.

Now think like a social engineer for a second. What does the file in Figure 2-20 tell you?

You can see what directories exist, but you can also see which directories they don't want you to access—or that they don't want Google to cache.

In addition, files like mysql or pgpsql give indicators of the type of tech used on the site in its creation.

Now, if this was an actual target (which it is not—I repeat, it is not), we would go to each of those directories to make sure it was appropriately configured and not allowing us in without authorization. We would check out those logs and files, if they're accessible, to see if there was anything misconfigured in the servers.

I once did a job for a medium-sized company. It was the rare “do all you can do and see what you can find, then attack us with no gloves on” type of test. I started with a bit of OSINT and some Google searching, and I found in their robots.txt file that they had a Disallow statement on a directory called admin.

Just to check it, I typed www.company.com/admin, and to my shock, I was let in with no credentials! The directory contained the CEO's private file repository, and it appeared that he used this to share files he would need when traveling. It contained included contracts, banking data, a picture of his passport, and numerous other sensitive details.

I found a contract that had been signed within the past couple of days. I bought a domain that was one or two characters off of the real company name, set up an email for the person who signed the contract, and phished the CEO with a malicious file and an email that stated: “I am not sure if I replied with the fully signed contract, but there is a question on section 14.1a. Can you please see it inside and let me know?”

Within 15 minutes, the CEO had the email, opened it, and was compromised. He was then emailing the fake address, saying that the contract would not open, and it just kept crashing. The penetration test (aka pen test), which was supposed to take a week, was over in about three hours.

I called the CEO, and our conversation went something like this:

I then explained every detail to him, and he realized quickly what had occurred. This particular pen test was won largely due to a robots.txt file and a misconfigured directory.

It's All About the Meta, Baby

According to the Oxford Dictionary, meta is defined as “referring to itself or to the conventions of its genre; self-referential.” So, metadata is literally data about data. Very inception-esque, no?

Let me explain it more simply. Metadata is information about an artifact that you find in a search. Many times, that data provides some pretty interesting facts—many that might not have been put there intentionally.

Let's say I do a very benign Google search to find .doc files that contain information about passwords. I come upon this little document called FinalPasswordPolicy. What will the metadata reveal? Take a look at Figure 2-21.

This metadata gives us the date and time it was made, the last person who saved it, the author's name/title, how many revisions the file has been through, and some other information I'm not mentioning here. You might be thinking, “So what?”

Well, just the name and the type of document that something is can be huge pieces of intel for a social engineer. Think of this: What if a social engineer were to find a new HR policy you just released? The metadata reveals when the policy was last revised (in this case, it wasn't even a month old), who wrote it, and when it was released. Of course, the policy info is in the document, too. Do you think a phishing email that seems to come from the person who wrote the policy and seemingly includes an update to the policy would get a few clicks?

Have a look at Figure 2-22.

At first, you again might be thinking, “Okay. So, are we gonna phish this guy with a coupon for hot sauce?” No. But take a look at the metadata, which is shown in Figure 2-23.

When you find a seemingly innocuous photo online, the metadata gives you information on the type of camera, the date, the time, and the GPS coordinates of where it was taken. When you put those coordinates into Google Maps … well, look at Figure 2-24.

The map shows the parking lot of Pepe's restaurant, which just happens to be a pretty large user of that brand of hot sauce.

So, a guy used his smartphone to take a picture. His smartphone had GPS turned on and did not block the camera app from embedding all that metadata in the back end of the photo file. When he uploaded the picture to his social media, the file contained all this information, so it was also released to the world.

Can you see the implications yet? Imagine it's not your buddy you're eating dinner with, but one of the following:

• The CEO of a large utility company who is being targeted by a nation-state attack
• The secretary of a billionaire who has information on his banks and transfer authority
• Your 15-year-old daughter taking naughty pictures of herself

Now can you see the implications? No matter which scenario you thought of, this easily accessible information gets dangerous quickly.

I worked one job with my team in which we had been tasked to perform OSINT and then attack a high-level target in the defense space. The goal was not to compromise the man, but to test his level of willingness to take an action he should not take. For educational purposes, we were to record any calls made and any click-throughs.

Light OSINT led us to his social media pages. We hit pay dirt when we found out he was a prolific tweeter, and he loved to use his brand-new iPhone with GPS turned on. Why is this so important? Twitter allowed us to graph out his location throughout the day as he tweeted from every location he went to. In a matter of a few hours, we knew the following things:

• His favorite place to stop for coffee every morning
• The gym he went to before he went home
• Two of his favorite restaurants
• His home address
• How much he hated city traffic

There was much more OSINT, but the info in the preceding list came to be crucial in our attacks. First, we found a domain that was basically one letter different from his gym's domain. We set up a quick email that told him we were updating all accounts, and his credit card info was no longer valid. We asked him to “log in to enter his credit card info now,” which prompted him to click through very quickly.

Knowing the page was going to 404 out, we waited until we saw the click, and then we called him on the phone. The conversation went something like this:

This attack worked because it hit topics familiar to him, and it was believable. With just a little OSINT, one phish, and one call, we had a click, a credit card number, and another five vectors prepared in case we needed them.

Metadata is powerful and very useful to a social engineer, so I suggest that you make sure to check it on every file you obtain during OSINT.

This can be daunting, especially when you're dealing with a large number of files. I personally like to use tools like FOCA (www.elevenpaths.com/labstools/foca/index.html) and Maltego (www.paterva.com/web7) to make this job easier.

Although I promised to not get too deep into any tools in this book, I feel it is imperative to at least briefly cover these and two other useful tools, which I will do in the next section.