Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

From email address to phone number, a new OSINT approach

239 views

Published on

Email addresses are one of our most public piece of PII. We
are confortable sharing it with strangers, publishing it on the
internet and it is generally our public way of communicating.

However, when it comes to phone numbers things change. We are more
selective with who we share it with, mostly because receiving
unsolicited phone calls is much more invasive. There are also security
implications when making your phone number publicly available. SS7
attacks, SIM swapping, phishing and scam calls are just a few of the
threats that originate from the target’s phone number.

What if it were possible to obtain someone’s phone number by only
knowing their email address? Beyond the criminal advantage, it could
be very useful to investigators, red teams and OSINT lovers.

In this talk, I will discuss techniques which when combined will let
you discover someone’s phone number via their email address. I will
also demo and release a tool that helps automate the process.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

From email address to phone number, a new OSINT approach

  1. 1. From email address to phone number A new OSINT approach Martin Vigo @martin_vigo | martinvigo.com
  2. 2. Martin Vigo Prodsec | Red team | Triskel Security Founder From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128
  3. 3. Privacy email address SSN phone number profile picture home addressage
  4. 4. Security EMAIL ADDRESS PHONE NUMBER Spam / Phishing Spam / Phishing Spoofing Spoofing Password dumps HLR registers Voicemail hacking Fake cell towers SS7 attacks SIM Swapping
  5. 5. Useful for: Private investigators Stalkers OSINT professionals Doxxers Red teams Spammers
  6. 6. Classic methodologies Google dorks People search engines Phone books Data leaks Social engineering Public records
  7. 7. Purpose of this talk A new OSINT method for your bag of tricks A new OSINT tool for your toolset
  8. 8. Harvesting digits abusing password reset 012-XXX-XX89 Ebay 0XX-XXX-6789 Paypal 0XX-XXX-XX89 Yahoo XXX-XXX-6789 LastPass XXX-XXX-XX89 Google, Twitter, Microsoft, Steam
  9. 9. No masking standards Password reset (attacker needs email) Leaks 5 digits 2FA challenge (attacker needs email+password) Leaks 3 digits
  10. 10. Combining accounts 012-XXX-6789 Ebay + Paypal Ebay + Lastpass 0XX-XXX-6789 Yahoo + Lastpass That’s 7 out of 10 digits from just the email address!! 012-XXX-XX89 Ebay 0XX-XXX-6789 Paypal 0XX-XXX-XX89 Yahoo XXX-XXX-6789 LastPass XXX-XXX-XX89 Google, Twitter, Microsoft, Steam
  11. 11. Let’s focus on which digits we know, not how many 012-XXX-6789 Area code or NPA Exchange or NXX Subscriber 1000 possible numbers left…
  12. 12. NANPA (North American Numbering Plan Administration) Maintains a public list of area codes and its exchanges San Francisco’s 415 area code has 784 exchange numbers Tacoma’s 253 area code has only 458 exchanges https://nationalnanpa.com
  13. 13. National Pooling Administration Number block area assignment in the 10 thousands Area code + Exchange + 4 digits subscriber number Sausalito has 7k residents. No need for 10 thousand block assignment NPA manages smaller block number assignments in growth areas Per FCC, first digit of the subscriber number is used for this purpose 012-345-6789 Area code or NPA Exchange or NXX Subscriber Block#
  14. 14. https://www.nationalpooling.com
  15. 15. 253-XXX-9123 tacoma_resident@victim.com with ebay and Paypal account 1. ebay gives us area code 2. Paypal gives us subscriber number 3. NANPA gives us 458 valid exchange numbers for the area code ‘253’ 4. NPA gives us 13 unassigned exchange numbers for the block number ‘9’ Only 445 possible numbers left!! ————— —
  16. 16. Still… 445 possible numbers… We reduced the possible victim’s phone number from 10 billion to 445 just with an email address and publicly available information 🤔
  17. 17. Same attack vector… reversed! Initially, we used the email address to harvest phone digits Now we use the remaining numbers to reset passwords and harvest masked email addresses!
  18. 18. Target: victimusa@martinvigo.com Amazon v*******a@martinvigo.com # of * matches remaining chars Twitter vi*******@m*********.*** # of * matches remaining chars And more…
  19. 19. Attack vector 1. Harvest phone number digits initiating password resets with victim’s email 2. Use Phone Numbering Plan data to reduce the list of possible phone numbers 3. Harvest and correlate masked emails by initiating password reset with the remaining possible phone numbers
  20. 20. email2phonenumber.py A new OSINT tool that automates the entire process
  21. 21. email2phonenumber features Harvest phone number digits from major sites Generate valid phone number lists from partial numbers based on the country’s Phone Numbering Plan Bruteforce phone number password reset and correlate masked emails with victim’s support for proxies to avoid captchas / IP banning Easily extendable to support more online services Available on Github https://github.com/martinvigo/email2phonenumber
  22. 22. What about other countries?
  23. 23. It get’s worst… Many do not adjust the PII mask for customers from other countries Ebay, Lastpass, … Some countries have 7 digits mobile numbers Estonia, San Salvador, Iceland, Åland islands (Finland), … Ebay + Lastpass exposes the ENTIRE phone number Estonian victim’s number: (+372) 588 1179 😱
  24. 24. Countries by phone number length
  25. 25. phonerator An online service to generate phone number lists multi-country support | detailed info | advanced filters | historic records Stay tuned on twitter for updates and release date: @martin_vigo
  26. 26. Recommendations For online services: Use customizable labels instead of PII tidbits “An SMS will be sent to 415-***-**12” “An SMS will be sent to [CUSTOMLABEL]” For you: Never provide your real phone number to online services Usually not required to use the service If required, use VOIP numbers or dedicated SIMs Use different email addresses or aliases
  27. 27. Responsible disclosure 012-XXX-XX89 Ebay 0XX-XXX-6789 Paypal 0XX-XXX-XX89 Yahoo XXX-XXX-6789 LastPass 0XX-XXX-XX89 Ebay 0XX-XXX-6789 Paypal “The team has assessed this to be an acceptable risk” ?XX-XXX-XX?? Yahoo Still assessing the risk and mitigations XXX-XXX-XX89 LastPass
  28. 28. Attackers can use your email address to obtain phone number digits from online services due to a lack of standardization in PII masking. Combined with publicly available information and an understanding of the country’s phone numbering plan, it is possible to recover the entire phone number TL;DR Security & Privacy Online Services UX
  29. 29. THANK YOU! @martin_vigo martinvigo.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo

×