After The introduction to basic OSINT tools and techniques, you know how easy it is to get information about someone or something on the Internet, and how your social media activity can be weaponized by malicious actors. In this article, we want to focus on how social media intelligence (SOCMINT) can be used for bad, and more importantly, what you can do to protect yourself.
While many complain about the intrusiveness and dependence social media can create, it’s a fact that social media platforms are now part of our daily lives: they’re a source of information, entertainment, working and networking opportunities across the globe. Even non-users have to acknowledge their existence, as political Tweets are dissected by traditional media and TikTok challenges make their way to online publications. Whether we like them or not, social media platforms lead trends and opinions, and constitute a vital medium for sharing and spreading all kind of information.
But when it comes to our own profiles, are we sharing too much on social media?
Most people would probably answer that yes, there are people who overshare, but they personally don’t. They don’t list their home address, they don’t say where they work, they don’t put too many pictures of their kids. They, unlike others, are careful.
Unfortunately, we tend to overestimate our level of privacy online and underestimate the power of social media’s algorithms… When we post, tag or share something, what we often fail to realize is that this small bit of information will add to other small bits of information that we have already disclosed. And that these little bits, pieced together, can form a pretty revealing picture of us, and be exploited by a malicious actor.
Don’t believe us? Let’s take a look at Rafael Martinez, a 32 year old software developer turned professional photographer.
The case:
Rafael is a very active social media user, and you can find him posting daily about where he is, what he does, and where he is going to be. He likes to travel and go on adventures. This is a guy who’s out living his best life and loves to tell his followers and the “world” about it on his Instagram page.
Recently, Rafael bought a new house and celebrated with his followers.
He also showed off his New e-bike.
And because he was understandably pretty excited about it, talked about his trip to Valencia, Spain. He knows people appreciate his enthusiasm for travelling and that this is the kind of post that will get him a few more dozens of followers.
What Rafael couldn’t have known is that all his social media activity has caught the eye of a malicious actor who wishes to rob him. Through his social media posts, he has unwittingly become a target for people looking for an easy and illegal way to make money.
And indeed, during his trip to Valencia, Spain, Rafael’s house is robbed and his e-bike stolen!
But wait, how did this happen? After all, Rafael did not explicitly tell anybody where he lived. So how did the thief find his house?
Well, through his social media activity, Rafael has indeed revealed everything the thief needed to know to rob him. Let’s see how.
The Breakdown:
If you remember on Rafael Instagram page, You can already see the city that he lives in: Albany, New York. He publicly displays it on his Instagram page.
Albany is not a small town, though, so the thief couldn’t have found his address from that alone.
However, remember that based on Rafael’s daily posts, one of which included a photo of his new house and some cash, the thief knew what the house looked like. He also got further confirmation of the city thanks to the addition of the geotag on the photo.
The thief can now easily search for his house on google maps if Rafael’s house number is visible. Also thief now has further confirmation of his location. Due to Rafael leaving a geotag which states that the photo was taken in Albany, NY.
But even if Rafael didn’t post a photo of his house on Instagram the location of his house is still findable. As Rafael Showing off his new e-bike. Rafael also showed off what his backyard looks like which can be identified with google earth and google maps in combination.
And due to Rafael’s Instagram page being public, the thief can easily see who comments under his posts. One of Raphael’s friends/followers, “Foxyfox”, indirectly exposed some important bit of information by revealing that Rafael lives close to “Berkeley park”. This considerably helped the thief to further narrow down the house’ exact address.
It’s also important to note that Rafael was robbed during his trip to Spain when he was away from his home giving the thief the perfect opportunity to rob his house when nobody is home. If Rafael did not post this the thief would have might not have taken the chance to rob his house.
Fortunately for Rafael, however, the thief was better at geolocating than at escaping the police, and was caught pretty quickly. Rafael got all his stolen items back, including his precious e-bike.
Through this fictional story, I wanted to demonstrate how easy it is to overshare on social media, and how even seemingly unimportant information (like a picture of a backyard) can be used by malicious actors to do harm.
Now this leaves us with the question: how can we not be like Rafael and stay safe and secure online?
7 Steps to protect your identity and privacy online:
Think in business terms:
Social networks are free because you are the product, as they say.
So unless you are actively making money out of your online presence, why should you set your profile to be publicly visible?
Your information is precious, and as such, should stay private. You can always send it to people you meet or add them as friends/followers.
As we’ve seen in our previous article, a lot of personal data is already online nowadays, so unless you are an influencer or a celebrity (or searching for a job on LinkedIn), there is no need to make all that extra information available to all.
Separate work from fun:
Choosing the same handle between work-oriented platforms, social media and dating apps makes it very easy to find you and uncover your personal tastes and preferences. This can have many unpleasant effects, from awkward conversations with your boss to malicious actors using that information to perform social engineering attacks.
Similarly, be mindful of the content you choose to engage with, and make sure your activity is only visible by you and your contacts. Your involvement in groups and pages can easily reveal your location (“you’re from… if” on Facebook for example) or some other personal information that you may wish to keep to yourself or your inner circle of friends (subreddits, Facebook groups, etc.)
If you have to use social media for work, as a marketing specialist, community manager or business owner, create a dedicated account that will manage your professional groups/pages.
Use one profile picture per platform, and make it private:
By using the same profile picture on all platforms, you make it easier for anyone to identify you, even if your handle is different.
In our previous article, we mentioned reverse image search and how it can help you find similar image or identify a catfish. The same can be done to identify you if your profile picture is visible to the public.
For extra security, you should use an avatar or a back picture on platforms where you want to remain anonymous. Facial recognition tools have become quite powerful, and it is already possible for some search engines to identify a person from two different pictures — see this article from Bellingcat on Russian search engine Find Clone, which does just that for people who have an account on VK (Russia’s equivalent to Facebook).
Think twice before sharing:
Once you post a picture, you can never know what will become of it. You may have posted it for a few select people, but someone can always share it further.
Privacy is a very personal concept, so don’t assume that everyone will behave as you would. Instead, have a good conversation with your friends about it, and make your opinion known.
When doing group activities, keep in mind that it takes only one person to share a picture for it to potentially spread on social media. So if you really don’t want that particular moment of your life to be exposed on the Internet, it’s probably best not to be on that group picture at all.
This is also valid for instant messaging apps like Whatsapp, Messenger or Telegram, or platforms like Snapchat. First, because no app is really 100% private and secure, in spite of what their marketing team may tell you. Second, because there is always the possibility that someone takes a screen capture, even if the image is published temporarily.
And even if your friends are trustworthy, respect your privacy and don’t share what you send them, there is always the possibility that their accounts or devices (and all pictures stored on these) get hacked!
So be cautious and accept that if you post something, it can potentially be seen by anyone.
Think twice before sharing (#2)
For the same reasons, don’t announce your vacation plans and dates on social media, and make a habit of not advertising your location when you post: as we have seen with Rafael, this could make you an easy target for burglars.
When using Whatsapp, Messenger, Telegram or other instant messaging app, avoid revealing your location inadvertently by making sure the EXIF data is erased. Download Exiftool to do that from your computer or even better, don’t add EXIF data when you take pictures from your smartphone: access the camera app in the Settings menu, and prevent it from accessing the location service.
Erase your footsteps:
When you stop using a service or an application, don’t just uninstall it from your phone/computer, but actually take time to erase your account.
If you want to keep the account nonetheless, erase all important information from your profile (banking details or personal address for example) and make sure it is protected by a strong password and if possible, multifactor authentication — see our “Bonus tip” below. Last but not least
When it comes to private data, less is more
When you register for a service, a social network or an application, always remember that no platform is immune to hacking. Once your data is on a server, you will have no more control over it.
Assume that everything you provide could be leaked, and think in terms of risks/benefits: should that cooking app really know your date of birth, gender and personal address? Is it really worth it? Compare services, and try to favor applications that are less demanding in terms of personal information. If you really must use an application or service, consider using fake information to avoid giving out too much of your personal information.
Bonus tip: Use a password manager and add multifactor authentication:
When you create a new account on social media, make sure to use a strong password that’s made up of letters (low and upper cases), numbers and special characters. Because remembering it by heart should be close to impossible, you can use a password manager like KeePass or 1password to manage all your accounts and passwords in a single place.
For extra security, add a second method of authentication to log into your account. This usually takes the form of a code that you receive either by SMS or even more securely, through a one-time password application on your smartphone. This option can be added in the “Settings” menu of your social media account, but note that it is not available on all platforms.
Extra resources to explore:
Protecting your privacy and staying safe on social media:
SOCMINT Investigation Tools for OSINT practitioners:
- WhatsmyName (Username Enumeration)
- Twitter Advanced Search
- Intelx.io (Facebook Post Search)
- Google Dorking
- SocialBearing (Twitter analytics)
- All My Tweets (View all public tweets posted by any Twitter account on one page)
