OSINT blog: Reunion in Scotland

-

 


The Beer Farmers recently issued a geo-location OSINT challenge with a mystery prize for the first person to find them. Under time pressure, I put my OSINT skills to the test to see how difficult it would be to find them. 

I examined the image closely, looking for any clues. The first thing I think everyone would have immediately noticed was the large greek-style columns behind Mike and Sean. These would come in handy later when roaming the streets on Google Maps. The second thing I noticed was a backwards JD Sports logo (a highstreet clothing brand in the UK). Therefore, I realised the image was flipped horizontally, so I flipped it back:


The task was then to locate which JD Sports this was going to be. Judging by the number of JD Sports shops in the UK, this felt like it was going to take forever. So I had to come up with a way to narrow down my searches.


Full disclosure - I have known Sean and Mike for over a year now through InfoSec Happy Hour and Twitter (still waiting to meet IRL!) so, I do know some facts about them. I know Sean lives in Scotland, Mike lives in Manchester and that BSides Newcastle is on - which I thought they may have been attending (or not - didn't check). I then went and looked at all of the JD Sports at these locations. After checking probably about ~30 JD Sports shops around these locations I finally found on that looked like a match - linked here


Venturing down into Streat View on Google Maps, I was able to confirm that this was the correct JD Sports and this was where Sean and Mike were standing. The columns, the buildings, and other attributes in Street View lined up with the image shared to Twitter - linked here

Lesson here is that, as always, don't post pictures to social media in places you don't want everyone in the world to know where you are. Think: OPSEC.


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to t...
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on ...
Read more