What is a Digital Footprint?
Every time you access the internet, you leave a digital footprint, which shows others where you are and what you have been doing. Whether it’s a photo you’ve posted on Instagram, a post you have liked, or something you’ve searched for, it leaves an online trail.
Open-Source Intelligence is the collection and analysis of data gathered from open sources to produce actionable intelligence.
Reading this article may lead you to feeling the need to burn your computer and completely disconnect from society. However, we will show you how fragmented pieces of information can be pieced together to give an attacker a very detailed image of your life and how you can defend against it.
Digital footprint investigation is a service that Risk Evolves can offer to help identify any vulnerabilities, and support organisations to protect themselves before cyber-criminals can act.
Over Q4 2022, Risk Evolves were tasked with carrying out a digital footprinting investigation for a group of senior executives working in a field of national importance.
A small team of just two from Risk Evolves worked in isolation with 1.5 business days per individual and less than £100 of spending money to access the content of some well-known paywall websites. All we were given were the executives’ names and the company they worked for. Below are some of the ways we used that information to create a very detailed profile of those people using their digital footprints.
1.
Search engines – “Google Dorking” techniques in Bing and Google. Using specific characters, such as speech marks (“), search results can be narrowed, removing the chaff and honing in on the information that is key. For example, “Joe Bloggs” “Risk Evolves” will return content with just these exact phrases. This often returns social media sites, one of the main ones being LinkedIn. There are other operators that can be used to further refine those results to specific sites or even certain document types.
2.
Social media accounts helped too, depending on privacy settings. Facebook was good for finding family members, people’s likes and photos. LinkedIn gave us data points such as a location, a photo of the individual, employment/education history, cross-referencing social media platforms helped confirm the following, for example:
- Location (be it general area or a specific location),
- Photo of the individual,
- Previous employment history,
- Previous education history and,
- Company email
3.
192.com – This site hides information behind a paywall, however it is not tremendously expensive. Using the names and locations found from other sources, the team could find current addresses for 50% of the individuals they searched on. The data on this site is gathered from the Open Register. If you had registered to vote at an address, then historically, more often than not, there was still a trace left behind, usually from a decade ago. However, if the individual hadn’t moved house in that time (checked using Zoopla), it’s likely that was still their current address.
4.
RocketReach.com – Some free searches but a heavy subscription after. This is just one of a few websites that offers a data scraping service. Basically scraping data from multiple websites across the internet (like LinkedIn) and putting it all in one convenient place. As well as confirming information already gathered, the site provided some personal email addresses and also has the potential to provide phone numbers.
5.
Breach database searches – https://haveibeenpwned.com/ – was used to find out if any email addresses (work related or personal) have been involved in a historical data breach. Potentially this could provide passwords, however, the research carried out didn’t go that far (no illegal searches were carried out, e.g., the Dark Web).
6.
Ancestry.co.uk – Another paywall account, but at £19.99 per month (and with a two-week free trial), it’s not a tremendous expense. Ancestry could provide names of family members, middle names, mother’s maiden names, dates and locations of birth. Ancestry also provided details on patents linked to individuals, all incredibly useful information for spear phishing campaigns!
Once a basic set of searches had been carried out, the team was free to explore further with the information that had been gathered using “Google Dorking” techniques. They were able to find all sorts!
Everything collected enabled the team to build up a pattern of life for each individual. All this data would allow for attacks such as phishing and spear phishing emails, account hijacking, denial of access attacks, and physical attacks.
Our at aim at Risk Evolves is not to scare but to inform. There are some simple steps everyone can take to reduce the attack surface and sanitise a digital footprint.
The largest defensive tool we have in our arsenal is the UK’s General Data Protection Regulation. If you are a European citizen and a company is processing, storing, or sharing your data, you have the right to have your data erased. Covered under section 17 of the UK GDPR, this law is more commonly known as the right to be forgotten and can be submitted either verbally or in writing, for more information can be found here. [https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/#ib10] The right to erasure can protect you against third-party companies who collect your data, such as RocketReach. If our targets had removed their data from RocketReach, we may not have found personal email addresses and phone numbers. This would have minimised attack vectors, such as database scraping, phone number attacks and account hijackings, making it harder for attackers to collate information and ultimately make you safer.
Updating your privacy settings on social media sites is another step you could take, making it so that only people you want can see your information. Many people find positives in sharing information on social media. Some make an income, others grow their professional network, and some find happiness sharing with others.
Just because you have a Facebook account, doesn’t automatically mean all your personal information will automatically be leaked onto the dark web. However, it is your decision as a user to determine how much risk you take by posting information online. Posting a cute picture of your dog online is great. The internet needs more cute dog pics, but posting your location on LinkedIn, or a picture of your house alongside a tagged photo of your entire family, would be heavily inadvisable. Ultimately, it is your decision, so you alone should choose an acceptable risk tolerance level and attempt to stick to it.
If our targets had tighter controls on their online digital footprint, it’s possible that we may have found absolutely nothing at all. Following the advice in this article, you should be well on your way to obscure your information from those that may wish to use it against you.
Cyberattacks are one of the biggest risks that face today’s businesses and it’s not a matter of if anymore, but when.
For more information, please contact the team on 01926 800710 or email: info@riskevolves.com
