Welcome to this episode of our podcast. I'm Matthea, an open source intelligence analyst and winner of the operation Safe Escape CTF by Trace Labs. With a wealth of experience in open source intelligence, I have worked on numerous projects in this field and I am an expert in the collection, analysis, and dissemination of intelligence from publicly available sources.
In today's podcast, we will be discussing the fascinating topic of phone number open source intelligence, which is a crucial aspect of open source intelligence and can provide valuable insights for various investigative purposes. So join me as we delve deeper into the world of phone number open source intelligence.
The phone number is a valuable piece of information for open source intelligence purposes since people tend to change it infrequently, it can be easily associated with a person and it is reused in multiple accounts. In the upcoming chapters, we will see how to obtain more information starting from a phone number. In part two of this course, we will instead see how to find a phone number starting from other data.
Throughout the course, we will often use mobile applications, so it is recommended to install an Android emulator and link it to a newly created Gmail account before proceeding. Personally, I find LD Player emulator to be very efficient and you can download it from the following link, LDPlayer.net. Often, it will be necessary to use a phone number to register for various services, so it's recommended that you buy a new SIM card. What is the home local register, HLR?
All mobile network operators have one. It is a database that contains information about subscribers such as the International Mobile Subscriber Identity, IMSI, the phone number associated with the subscriber, MSISDN, the account status and the last known location. Home location registers are a component of 2G and 3G mobile networks.
In the case of 4G networks, the database is called Home Subscriber Server, HSS, while in 5G networks, the name changes again, becoming Unified Database Management, UDM. Every time a device tries to access a cellular network, a message switching center, MSC, requests the data present in the HLR database to determine if the subscriber is authorized to access services, how to charge the subscriber for those services and how to route transmissions to and from the device.
When a subscriber's contract ends, the provider removes them from the HLR, preventing them from accessing the network. The HLR for open source intelligence purposes. Obviously, these databases are private and not analyzable in most cases. However, through fake virtual operators, it is possible to access this data even if only partially and not updated. There are various online services, both free and paid, that allow HLR requests for a phone number.
Personally, I think the best service, although practically unknown in Italy, is the one offered by SMSC, available at the following address, smsc.ru-test-hlr. Through this Russian service, it is possible to make a real-time HLR request, but it has a strong limitation. You can make only two requests every 24 hours per IP.
While the prefix of a mobile phone number, example, plus 39, will clearly tell us the nation of registration of the phone number, plus 39 equals Italy, an HLR request on this site will provide us with additional information such as the network to which the phone number is attached, this information is useful if a person with an Italian phone number is abroad. Through this search, we will immediately be informed of this fact. Also, for example, we could know if the phone number is in roaming.
The last known location, very similar to the previous one, in most cases, at least for numbers located in Italy, only the country will be shown. However, it has happened that four foreign phone numbers, a much more precise location was shown, such as a single province or even a city. The originating operator, many online HLR services search for the operator based on the first few digits of a phone number, which declare the originating operator.
With real-time access to the network to which it is connected, we could understand if the number is active. Sometimes we may come across phone numbers that are not connected to any network. In this case, it doesn't necessarily mean that the number is deactivated, it could be that the SIM card is forgotten in a drawer somewhere. However, through this website, we can check whether the phone number is really active or not.
Some operators do not immediately remove the number from the HLR databases, so a number that has recently been deactivated may still erroneously appear as active. Caller ID services. Caller ID services are all those applications available on mobile devices that can tell us whether a call is spam or not. These services are fueled by the same users who download them, as one of the prerequisites for accessing these databases is to grant the service access to our entire phonebook.
This is therefore a never-ending cycle, the more users download the application and grant access to their phonebook, the more useful the application will be to other users, and the more it will be downloaded by new users. With that being said, the best caller ID applications are the most downloaded on the Play Store. Therefore, open your Android emulator, connected to a new Gmail email with no contacts in it to avoid granting access to our contacts, and download the following apps.
Sync.me, Truecaller, Showcaller, CallApp. I believe these four apps are the best, by far. Many other applications available on the Play Store are unofficial clones of the apps listed above, with the only difference being the name of the app. However, you are invited to try other apps to improve your efficiency with phone numbers. By entering a phone number, these apps will return a name known as the real user, if available, which could be different from the SIM card owner.
For example, if a minor is using a SIM card registered to a parent, we will find the name of the child. As the data is retrieved directly from the phonebooks of other users, the number may be associated with a username, nickname, or other details. I remember the time when I found the name Marco Bianchi Drug Dealer on one caller ID, and Mauri98Weed on another.
Of course, these are just fictitious names, but they are useful in understanding how by searching these keyrids, I not only obtained the probable profession of the target subject, but also a username to use to identify other accounts associated with the target subject.
Another useful feature of some apps is that they allow us to know a social media profile associated with the subject, assuming, of course, that the user from whom this data was taken has linked the social media profile to a phone number. As most users do not read the terms of service, it is very likely that some of your acquaintances have granted access to your phone number to these apps. It is always good to know that it is possible to request removal.
Sync.me and Truecaller are also available online without the need for an Android emulator, both requiring access with an email. Be careful not to grant access to all the contacts you have in your mailbox, phone numbers, and email addresses. Working with multiple contacts can be a daunting task, especially when dealing with hundreds of different phone numbers. Fortunately, there are apps like CallApp that can help us synchronize our entire address book and automatically update contact names.
However, before synchronizing, it's most convenient to create a VCard to add all of the contacts. We can use one of the many online programs, like csvtovcard.com, to convert a CSV file to a VCard. Here are the steps to follow. Create a CSV file with your contacts. Convert the CSV file to a VCard using an online program. Import the VCard file into your address book. Synchronize it with the caller ID app.
Remember that all the contact names received automatically should be exported and saved somewhere before deleting the entire address book, inserting the file with only numbers, and repeating the operation with another caller ID app. This is to prevent the replacement of names already identified with other names. Our goal is to have as many names or nicknames as possible for each phone number in order to get an accurate idea. Data breaches can be a game changer during phone number analysis.
There are numerous databases that contain phone numbers mixed with other identifying information, such as social media profiles, various identification codes like the fiscal code, address data, and much more. Facebook's violation is one of the most notorious, exposing over 36 million Italian phone numbers and more than 500 million worldwide. In addition, many Italian operators have experienced violations of their systems over the years, such as HomeMobile, Tim, and LeicaMobile.
To find out which database to search, it's best to start with Havabimpund, a website that indexes the most significant data breaches worldwide. Then, search for these databases on underground forums such as BreachForums, or on dedicated portals like IntelX, LeakCheck, Dicht, and similar sites. Please note that it's essential not to purchase credentials from cyber criminals. Not only is it unethical, but it also fuels the market for passwords, not to mention the illegality of this action.
One convenient way to find out who owns a phone number and discover associated social profiles is through contact synchronization, available in many apps. In the upcoming chapters, I will share the methods that I know of. Please note that the results may vary depending on the privacy settings of our target. Instant Messenger, WhatsApp. To obtain a WhatsApp account from a phone number, simply download the app on our Android emulator and create a WhatsApp profile.
After a brief update, all the saved numbers in our contacts that have WhatsApp profiles will have the messaging service icon, allowing us to start a chat or a video call. The profile picture can give us valuable clues for our analysis and can be searched in reverse search engines to identify other accounts. Additionally, the bio can be used as a dork to obtain other accounts if the user tends to reuse it.
We will also have a name associated with the phone number, and we can check if the user is active or not on this service through the online slash offline status. Monitoring the subject's social activity will allow us to understand their sleep, wake cycles and other useful information. Instant Messenger, Telegram. Similar to WhatsApp, the method for Telegram is also straightforward.
Install the application on our Android emulator, add the contact to the address book, and synchronize the contacts with the application. The useful information for open source intelligence purposes is the same as WhatsApp with the addition of the username, which is not present in WhatsApp. More information on Telegram can be found in the next episode.
Instant Messenger, Signal. Signal Private Messenger is a free and open source application for Android, iOS, and desktop Windows, Mac, and Linux that uses end-to-end encryption to protect text, image, and audio and video messages, as well as phone conversations between users of the same app. The method for Signal is equally simple, although slightly different. Simply download the Signal application and create an account on this service.
After adding the target phone number to our address book, it will also appear within the Signal messaging service if the target possesses it. Instant Messenger, WeChat. WeChat or WeChat in the Chinese language is a messaging service for text and voice messages for mobile devices developed by the Chinese company Tencent. It is the most widely used messaging app in China, with over 1.2 billion active monthly users of different age groups.
As with the previous methods, simply add the phone number to the address book, after downloading and creating a profile within the application, and contact synchronization occurs automatically. Opening WeChat will show the target profile among our contacts, and we can view the information extremely easily. Social Network, Snapchat.
Unlike other similar social networks, Snapchat allows users to exchange audio or video of up to 10 seconds, known as snaps, which are deleted immediately after viewing. Additionally, users have the option to share their stories or content that remains visible for 24 consecutive hours and then disappears permanently. To synchronize contacts on Snapchat, we need the mobile application, which we can download on our Android emulator.
Once we have created the account, we simply need to tap the profile icon at the top to go to the relevant screen, click add friends, touch all contacts. At this point, we will have identified the account or accounts of our target, and we can choose whether to add them to our friends on Snapchat. Here's the improved text for an audio book on TikTok, Twitter, Nextdoor, Facebook, and Instagram. Social Network, TikTok.
TikTok is a social network that lets you share 15 or 60 second clips with music, sound effects, and filters. These clips include dances, mini comedy sketches, musical parodies, or lip syncs, and are characterized by fast and intuitive editing. Just like Snapchat, all you need to do is sync your contacts to get your target accounts. Once you've created an account on your Android emulator, open the app and tap profile at the bottom right.
Then tap find friends in the top left corner and find contacts. Allow TikTok to access your contacts and the accounts associated with the analyzed phone numbers will be returned. Social Network, Twitter. Twitter is a free microblogging platform that allows you to share messages up to 140 characters long. To sync your contacts with Twitter, you need to create an account and go to the following URL, https://twitter.com slash settings slash contacts.
Once you've added your contacts, the corresponding Twitter accounts will be returned, provided that your target hasn't changed their privacy settings. Social Network, Nextdoor. Nextdoor is a private neighborhood social network that was launched in the United States in 2011 and arrived in Italy in 2018. The platform is useful for finding and getting to know your neighbors, creating micro communities.
To use Nextdoor, users must use real names and addresses, associate their phone numbers and request a postcard online that will physically arrive at their home within five days. Once you've created your neighborhood, you can report news and events in your area with posts visible only to those who belong to a specific community. Each member of the platform can attract other profiles to establish a neighborhood.
To sync your contacts on Nextdoor, you need to download the application on your Android emulator. Once you've created an account and given permission to access your contacts, you'll simply find your target accounts in the invite or invitations section. Social Network, Facebook. Facebook is by far the most popular and widely used social network in the world. To sync your contacts on Facebook, you need to download the mobile application on your Android emulator.
Once you've created an account, go to settings in the upper right-hand corner of Facebook, then go to settings and privacy and then to settings. Scroll down to the permissions section and tap upload contacts. Tap continuous uploading of contacts to enable or disable the setting. Once you've synced your contacts, any accounts associated with phone numbers will appear among the suggested contacts.
You won't have a precise idea of which account is associated with a phone number, but it's still useful, especially if you already know the target's name. You'll easily find the target account among the many accounts suggested by Facebook. More information on Facebook can be found in my previous Facebook podcast. Instagram is a social network dedicated to sharing and publishing photos and videos.
Users on Instagram have a personal profile where they can upload photos and videos, thereby sharing the moments of their day with their network of followers. To connect to Instagram, you need to follow these steps. Tap the profile picture at the bottom right to access your profile. Tap on the top right, then tap on settings. Click on account, then tap on sync contacts. Finally, click on connect contacts to activate contact synchronization.
As with Facebook, we may not have a precise idea of our target profiles. However, if connected with a phone number, these profiles will appear in the suggested section. Now let's talk about VoIP software Skype. Skype is a free software that allows users to exchange messages, send attachments, make calls, and video calls using the Voice over IP VoIP protocol. It is a hybrid program that separates chats into conversations, both in groups and with individual users.
Once you have downloaded the application on your Android emulator and created an account, follow these steps to synchronize contacts. Tap the profile picture from the chats section. Select settings, select contacts, activate sync your contacts. All the target accounts will appear in our internal Skype address book. Moving on to payment app PayPal.
PayPal is a service that not only allows you to pay for your online purchases on millions of e-commerce platforms, but also send and receive money without having to enter or communicate your credit card number or bank account details. In the send money section, you can enter a phone number, and if the phone number is present, you will most likely see the profile picture and other data. Lastly, let's discuss the payment app Wwise.
Wwise, formerly TransferWise, is a platform for international money transfer and multi-currency electronic wallet accounts. Once you have downloaded the mobile application on your Android emulator, you can also synchronize contacts. To synchronize contacts, simply go to the recipients screen for sending money or under contacts on Wwise in the settings. You will see the sync contacts form and all the target accounts will appear in our internal Wwise address book.
Note that as a security measure, all profiles now have the default setting of not being searchable via phone number. However, many users activate this setting, making themselves searchable. Another useful method, perhaps the most obvious, is to search for phone numbers on search engines. Let's not focus on just one search engine, but search at least on the most famous ones such as Google, Bing, Yahoo, DuckDuckGo, and Yandex.
When searching for phone numbers, it's important to use a variety of queries to ensure you find all relevant information. It's important to search for both the textual and numerical form of the phone number and to try different divisions of the number as well. By doing this, you can increase the chances of finding the information you need. So remember, when searching for phone numbers, be creative and try a variety of queries to get the most complete and accurate results.
Let's remember to search for phone numbers on search engines specific to social networks as well. We may certainly use the most famous social networks, but also the regional specific ones, such as VK for users in the East. A tool that automates this type of search, but with results that I often find questionable, is Phononfoga, available at the following link, https://github.com slash sundowndev slash phoneinfoga.
Search engine for business cards, another useful search engine for open source intelligence purposes in our phone number analysis is the following CSE, custom search engine, which searches the most famous sites for business cards, CSE.google.com slash CSE question, mark CX equal sign B5801C31F451E4A. Just search for the phone number in this search engine, following the advice given earlier, to obtain retrievable information on the business cards created online.
White pages, there are several archives of fixed and mobile phone numbers, normally named white pages or yellow pages, depending on whether they're business or personal numbers. While until a few years ago, these archives were in print form, now the major services of this type have migrated online. These services are divided by nation, but registration is optional. Due to aggressive telemarketing policies, users who sign up for these services are in constant decline.
A list of white pages divided by nation is available at the following link, https://phonebookoftheworld.com slash wp. Tool, ignorant through registration and password reset forms, it is possible to establish whether a phone number is registered on a certain service.
While this search can be carried out manually, there is a tool called ignorant, available at the following link, capable of carrying out a search on various services, currently only Amazon, Instagram, and Snapchat, github.com slash megados slash ignorant. Installation instructions are available directly on the GitHub page.
B2B Software Business 2 business software is dedicated to corporate marketing and can provide us with so-called leads or contacts within a company that may be interested in purchasing our products. Obviously, such contacts can be quite useful for open source intelligence purposes, also because many of these software index both company and personal social media profiles and telephone numbers. Almost all of these applications are freemium with limited free features and others for payment.
It is definitely worth investing in non-free licenses. The main B2B software I use for open source intelligence purposes are, Rocktreach, Apollo.io, Lusha. Simply search for a phone number within these applications to view target profiles. B2B software, like caller ID, feeds on our phone book and email to improve the service. Use a new email to avoid giving any contacts. Thank you for tuning into this episode of our podcast.
I hope you found our discussion on phone number open source intelligence insightful and informative. Remember, open source intelligence is a powerful tool that can provide valuable insights and intelligence from publicly available sources. If you have any questions or comments, please don't hesitate to reach out to me. And, if you enjoyed this podcast, be sure to subscribe and stay tuned for more episodes on open source intelligence and related topics.
Thanks again for listening and I look forward to bringing you more exciting content in the future. Thank you for tuning into this episode of our podcast. I hope you found our discussion on phone number open source intelligence insightful and informative. Remember, open source intelligence is a powerful tool that can provide valuable insights and intelligence from publicly available sources. If you have any questions or comments, please don't hesitate to reach out to me.
And, if you enjoyed this podcast, be sure to subscribe and stay tuned for more episodes on open source intelligence and related topics. Thanks again for listening and I look forward to bringing you more exciting content in the future.