WeChat, IMO and OSINT

(First Published on Medium February 2020)

Further to my recent blog post on how we can leverage messenger apps for OSINT. I mentioned two apps that needed further examination, WeChat & IMO, the below is above and beyond entering a subject mobile number which you want to research but will give you a taster of what you can find.

Within the UK we have communities that are culturally diverse who have international heritage. This I’m sure will be replicated within Western Europe and the US too. It is important as an OSINT investigator in that case to look beyond the popular Western apps such as WhatsApp.

WeChat is enormously popular in China with over 1.132 billion monthly active users. A figure I found from 2016 suggested that WeChat is used by 70 million people outside of China too.

IMO isn’t as popular but boasts in the region of 200 million users as of 2018. From the research I carried out on the app, it appears popular in the Middle East, Pakistan & India.

Now both these apps appear not to have the same privacy considerations as other more popular messengering apps. This maybe down to a different cultural attitude towards privacy. From the articles I have read certainly the Chinese Government appears to have an amount of influence in relation to WeChat. I mentioned previously I was having issues with the desktop client, this I believe is down to the use of a VPN and other Opsec measures deployed.

WeChat is China’s version of Facebook, plus more. It has a search bar functionality, you can use it to buy items in a similar way to Apple Pay or Google Pay. I’ll stop there.

So moving on, within the WeChat, Discover menu you will see people who are nearby your location. I tested this feature at a venue I went to recently and it was showing people within 100 metres of my location. (I haven’t tested its accuracy)

The following information was using Paris as my location, someone appeared to be within 600 metres of my location however they do not appear to be a Parisian. In essence when you create your WeChat account you select the Region you are from. This person was from the city of Fuzhou in the Fujian Province of China.

The, “What’s Up” field is an area where you can add pretty much anything you like. In this case a mobile number appears to have been entered which has a French prefix. (Maybe a tourist who has purchased a French mobile for their trip.)

Now to protect this person privacy I won’t include any screenshots etc but what I can tell you, is that there was a name and profile picture. WeChat has a, Moments page on a user profile, similar if you will to Facebook’s Timeline On the 24th November 2019 this user had posted a picture of them self with the back drop of a coastline.

So we have a location, profile picture, name, mobile number and recent visited location, which could be reversed image searched, all within about 5 minutes.

IMO will show you in the, Explore, menu who is presently Online, Nearby Groups and also a Live option, which allows you to stream live. When I tested this on a burner I-Phone the live option wasn’t available. Within the Live menu you have, Recommend, Nearby, Language & Country.

These Explore options are no way as granular as WeChat. So for instances the, “Nearby Group” option returns groups quite a distance away probably reflected in the fact that this app is not as popular as WeChat.

The, “Who is presently on line,” will allow you to send a, “Wave” to anyone and they can also sent you a wave back. Once you accept a wave you can start chatting. You do not have to sent a, “Wave” to see their profile information.

From an OSINT perspective it allows you access to their profile picture and any other bio information they may have on show. You will obtain the name that they have given themselves too as is the same with WeChat. Something to note, you can see people who have visited you in your profile settings so it goes without saying that your subject will be able to see your visits too.

So I looked at someone who was online and found the following information came from the first person on the list.

Name, profile picture, the city in the UK where they lived, their employment status, current relationship status as well as what may have been a picture of their living room. Clearly from an OSINT perspective there are opportunities to explore from what has been found.

Now the purpose of this blog is to highlight the potential for OSINT if we look outside of the traditional messaging apps that we associate with the West and to give a little bit of an insight on what can be found. If you want to use this blog to improve your privacy, then that’s cool too.

Disclaimer:- before attempting to use any of these apps please think of your OpSec and do not use any device that is linked to you personally. What you discover will be dictated by the privacy settings of the other users.

Also a little clarity in relation to the use of an emulator, one article I read in relation to WeChat stated that if WeChat detected the use of an emulator they would suspend your account.

In my next blog I will write about the setup I used to conduct the research into the messenger apps.

My Journey Into The World of OSINT

(First Published on Medium February 2020)

My journey into the world of OSINT is now just over one year old. OSINT is not the main area of my work, I don’t get to learn or practice anywhere near as much as I would like but it is certainly the work I enjoy the most.

Following on from my previous Blogs in relation to leveraging messaging apps for OSINT I thought I would share how I conducted the research.

I’m still working on the project which I hope will help me increase my research potential in relation to mobile (cell) phone numbers and email addresses. Most of what I will write about can be done using free resources. It isn’t overly technically and it’s something I thought I would share for those like me who are still learning. There are many tutorials also available to assist with how to leverage the apps I am going to talk about.

The problem was how can I research mobile numbers and email addresses without relying upon the use of sites that require payment. Everything that happened in the summer of 2019 appears to have focused people’s attentions on creating their own OSINT tools. So what could I do with the platforms that people use everyday?

My first consideration as always is operational security. I won’t write about that as this would then become a lengthy article. Needless to say @dutch_osintguy has this covered for us with some great articles.

Next up is a sock puppet, @technisette and @jakecreps have some very good articles. My sock would only be used on this setup.

One part of my operational security was the use of a Virtual Machine to host what was going to be my OSINT set-up. There are free flavours from both VMware & Virtual Box. My VM was going to be completely separate from any other OSINT VMs I have created and I was going to use a clean install of Windows 10. Next up was precuring myself an old Android phone. Family and friends are always upgrading phones so it wasn’t to hard getting my hands on one for free.

The phone was then factory reset and would only be used alongside my new VM. Setting the Android up is solely for the purposes of leveraging social media apps and messenger apps. You can use Wi-Fi (with VPN) to download the apps but you will need a SIM for verification purposes. In the UK a SIM will set you back £1 pound but you can pick them up for as little as a penny.

Needless to say this is an on-going project which can be expanded upon however the apps I started off with were, the usual suspects you may say but I did expanded it to include less well known apps.

Next up was replicating this on my VM, so downloading the desktop applications.

Desktop Clients

You will see on the left hand side the desktop applications available for the messengering apps from my previous blog. In the Bookmarks you will see which website applications are in use.

This way I can link these apps to my Android phone and enjoy the desktop experience. Then you can use the websites for the other social media sites. I also find that this is an easier setup for functionality, flexibility, recording and evidencing what I do.

You may have wondered why Android, (People don’t seem to mind giving you old ones, which is a starter), you can use an I-Phone which I have done too however the next part of the set up is not Apple friendly, the use of Vysor. Vysor is a clever little application that enables you to control your smartphone from your computer as if it were just another window via a Chrome extension or desktop app. There is a free version of Vysor too, bonus! The paid version is better though, which you would expect. You could in fact not use Vysor at all and rely on the desktop environment you have created or you could just use Vysor full stop.

If you don’t like the idea of Android then cool go with an Apple I-Phone without using Vysor. You can still mirror I-Phones on to your desktop you just can’t control them using your mouse and keyboard like you can with Vysor. The above set up takes a little longer to setup than an emulator but I find it is easier and seamless to work with.The benefits are numerous including the ability to seamlessly copy a profile picture and reverse image search it.

Now before I go any further I think it is important that we understand the risks of using any app to do our research. Truecaller for example will suck up your contacts as that is what their business is. So you have to be very careful and decide on a case by case basis whether you want your subject’s mobile number / email being harvested by all these companies. Privacy polices are boring but an essential read.

Disclaimer everything we do, the results are dependent upon our subject’s own Opsec and Privacy settings.

On WhatsApp our luck is in and our subject has not bothered about their privacy. We have a nice profile picture that we can do reverses image search on and see where else on the web they appear. The bonus of having the desktop application is you can access the full profile picture and save it straight to your VM. Last seen is another nice touch, if you are keeping tabs on them you can watch when they are using WhatsApp there are also apps that will monitor the account for you. Even if, Last Seen, is disabled you can still see when your subject is on-line. This could help you work out their patterns and determine where in the world they may be and the times they operate on-line.You may get really lucky if someone has updated their status and maybe provided an alternative means of contact because they are off-line. Don’t forget to check their About Me either.

I have also used an Android emulator inspired by @aware-online and their excellent tutorial on how to geolocate groups on Telegram.

Needless to say this is not for nefarious purposes and it should also be used to understand the information you are giving away, from a privacy & OPSEC perspective.