Unraveling the OSINT Oxymoron
Open-source intelligence (OSINT) is somewhat of an oxymoron. On one hand, practically everyone who has used the Internet has engaged in OSINT research. On the other, the enormous potential of OSINT sources remains largely untapped.
Usually defined as a framework or collection of techniques, OSINT relies on the immense amounts of data freely and openly available online and offline to answer questions that allow organizations, companies, and individuals to make better informed decisions.
Embracing all online media, public information on social media and crowdsourced platforms, commercial data, academic and professional publications, public government data, and historical archives, the OSINT framework is nothing if not pluralistic. Its efficiency and helpfulness rely on the researcher’s ability to source, evaluate, and combine this data while weeding out errors and attempts at muddying the waters.
Quality vs. Quantity
Practical applications of the OSINT framework range from national intelligence and security to human resources and recruitment, lead generation to outreach, cybersecurity to anti-fraud, and beyond.
In simple terms, OSINT is akin to big data—perhaps close to the abstract concept of “all data.” As a result, the questions that surround its use are not ones of quantity, of which there is usually plenty, but ones of quality: not just separating the wheat from the chaff but making logical sense of what is left, ensuring it is not misinterpreted, and understanding the pitfalls of over-reliance on individual findings.
When faced with huge amounts of data, which methods and tools—be they automatic or manual—allow us to utilize OSINT’s maximum potential while minimizing the strain on resources? That is where dedicated search engines, APIs, and tools come in, available either freely or as proprietary software, to allow us to better search, identify, or combine data and speed up researchers’ efforts. OSINT tools come in diverse forms and include everything from webapps that visualize information to real-time aggregation, public databases, and search engines themselves.
Anti-Fraud Manual Reviews
The role OSINT plays within the fraud, scam, and cybersecurity landscape is twofold. On one hand, publicly and freely available data is something criminals frequently turn to when executing account takeovers, conducting spear-phishing attacks, or stealing someone’s identity.
Consider criminals who want to impersonate upper management to trick a low-ranking employee into giving them confidential information or even making a transfer to the fraudster’s account. To do so, they will search the Web for any information they can find on the employee they are impersonating to sound as convincing as possible. They will source this from places such as LinkedIn, YouTube videos of this person, and so on.
Yet, at the same time, there are legitimate security-based needs to use OSINT. For instance, researchers, analysts, and anti-fraud firms use OSINT to enhance cybersecurity and have developed new, specialized tools to boost this potential and automate it.
Let’s start with the basics, in the form of manual reviews. Whether on-site or outsourced, an organization’s team of anti-fraud analysts will have to manually review certain requests and actions. Often this occurs after an automated platform flags abnormal behavior for human assessment. For instance, an underwriter for a financial technology micro-lender may want to ensure the person applying for a loan is legitimate. Or, an online merchant’s anti-fraud platform may have flagged a certain shopper suspicious due to unusual ordering patterns, so the retailer will want to understand what is happening, ideally with minimal churn or friction.
Depending on the sector and action attempted by a user or customer, manual reviews can take on many forms, including direct email or telephone contact, examining the minutiae captured during previous steps, or comparing to recent developments in the online landscape. That is where OSINT can come in to help.
Reverse Email and Phone Lookups
Naturally, when fraudsters create fake or synthetic IDs to utilize in their schemes, they will take security precautions and basic steps to make the identities convincing. Often, they’ll steal or buy fullz (full information on victims, including their name, address, and a form of identification) on the Dark Web, create dedicated new email addresses, and set up burner phones. There are even solutions to fool biometrics these days.
Assuming the above is done with precision, in addition to usual SecOps measures taken by criminals, what is left to help risk analysts catch fraudsters? A good answer to this comes in the form of reverse email lookup and phone lookup using OSINT sources.
It is both unusual, as well as not scalable, for a criminal to take the time to invent and set up a full online persona beyond the basics. His or her online presence on the Web will be limited and not look realistic compared to a legitimate user—especially taking into account a few variables such as age group and location.
It is both unusual, as well as not scalable, for a criminal to take the time to invent and set up a full online persona beyond the basics.
Running someone’s email address through a lookup tool will return various OSINT data points such as any public images of the individual, his or her occupation as listed on social networks like LinkedIn, any data breaches the individual’s email has been listed in, and a wealth of social media, platform, and app profiles that are linked to said email or phone number. While in many cases such profiles will not be public, what is useful is the fact they exist.
For example, if the user’s email address is listed in a data dump from 2013, the account has existed since at least then—which increases the chances it belongs to a real person. The person’s likeness can be reverse image searched to see if it’s used elsewhere or is a known stock photo. Similarly, a younger user is likely to have at least one or two social media profiles—if they don’t, this can be a red flag. An active, filled-in LinkedIn page can be a similarly good sign.
It is up to the fraud analyst to reach conclusions from this information within the given context and depending on the organization’s risk appetite and historical patterns. As a tool, however, email and phone lookups are incredibly useful and relatively frictionless compared to other options. People who sign up for any service are used to providing an email address and even a phone number to do so, and fraud analysts performing phone or email checks do not have to trouble the subject with additional know your customer (KYC) steps beyond what is necessary.
Data Enrichment Enabling Scalability
From this key idea of using already provided information to source dozens, if not hundreds, of useful data points, researchers have devised automation protocols to reach data enrichment functionality, turning raw data into something actionable.
OSINT-enabled data enrichment is automated but returns reliable results. In the anti-fraud landscape, it allows for the creation of a complete user or session profile that can help analysts make immediate decisions or verify the user on return visits. OSINT databases are part of the various sources of data that will comprise the profile and assign it a risk score. Such a profile will include all the aforementioned information, phone network provider, company information (if using a corporate email account), and so on—but there will also be data gleaned from one’s IP address, device/browser/cookie hashes compared with other users and attempts through time, and additional considerations.
Automatically and comprehensively sourcing this type of data allows fraud analysts to create risk profiles and reach better decisions in anti-fraud efforts. Within such a 360-degree approach, OSINT adds hundreds of additional data points that are difficult to falsify and are largely overlooked by criminals. This series of insights can enable investigations and ultimately inform manual or automatic decisions on which users and attempts to let through and which to block or request additional verification from.
That is the OSINT oxymoron: There is almost infinite data freely available and yet, at the same time, it is so often ignored because of its sheer volume and complexity. OSINT can help criminals, but it is not yet being leveraged to its full potential when it comes to protection from criminals.
OSINT can, and ought to be, a key part of intelligent and efficient anti-fraud efforts, no matter what form they take—manual or automated, end-to-end or targeted. It is up to us to embrace it and make the most of it.
Gergo Varga has been fighting online fraud since 2009 at various companies—even co-founding his own anti-fraud startup. He is the author of the Online Fraud Prevention Guide for Dummies – SEON Special Edition. He currently works as the senior content manager and evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what’s happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.