CTF Open Source OSINT Tech

Trace Labs CTF 2021.2

What is the Trace Labs CTF?

Trace Labs organise regular OSINT Capture the Flag events, crowdsourcing data about missing people where law enforcement has requested the public’s assistance. According to the value and difficulty involved in finding the clues, they provide the submitting team different number of points. The advantage is that by creating a larger community, there is more varied experience in the people researching and so data points which may have been missed by the top teams are still handed back to law enforcement. I managed to participate in the February 2021 CTF and the team ranked in the top 50 (out of 290!) despite all members being complete rookies.

Preparing for the CTF

In order to isolate the research from my machine, I went with the Tracelabs VM. Imported the nameFinder tool to streamline looking up additional sources for accounts. (I would later discover one of the dependencies was not working as expected, meaning all hits had to be tested manually). Cloned the VM for the CTF and called it quits on the technical side.

For the team I found someone interested in participating in a local hacker group, a mate on the other side of the world and then we found the 4th on the Trace Labs Slack. I got some good feedback from other participants here for last minute prep to which Heather’s feedback was particularly extensive.

During the CTF

The CTF platform allows you to see the active cases, how many flags you’ve submitted and any flags that have been rejected by the judge. Rejections will include comments from the judge explaining why it was rejected, which makes it easier to keep track and resubmit if necessary.

We used a group DM for team communications, and then added an additional group DM with our judge as soon as one was attributed to us. Our judge was particularly pro-active in their communications to us which was very useful in guiding our research.

After the CTF

Once the CTF platform closed, the flags were counted & validated and the top teams & MVO awards were given out. After some celebration with the participants on the good work done that night, I promptly hit the hay as it had been an intense (but highly rewarding) all nighter.

Hindsight == 20/20?

In terms of personal preparation I think there is little more that I could have done between signing up & the contest, simply due to lack of experience in the field. Following this CTF I definitely feel more confident in exploring different routes and having a larger toolkit to pivot from existing datapoints.

As a team, Mon hit it on the head that having appropriate workflows in place is the way to get higher up in the leaderboard. We went at it as 4 individuals, simply divvying up the cases, but without sharing the data points. I’m certain we could have obtained many more flags had we used appropriate data sharing tools. The issue becomes of course trusting the sharing service to not be leaking sensitive data. A solution I’d like to try before the next CTF is using Obsidian MD with Syncthing to share the notes accross team members.

Privacy Security Tech

Dissecting SPAM

Everyone receives unwanted messages on a daily basis. Sometimes it’s just marketing, in other cases it’s less benign. In the case of a scam or a phishing attack, the sender wants you to hand over some data (usually financial). Having recently received some unwanted, but benign mail it made sense to show what steps to follow when things seem to be a bit…. odd.

Follow your gut

If a message seems to be telling you to do something urgently, makes you feel under pressure or in any other way uncomfortable, take a step back. Who sent you this email? Were you expecting the email? Does the email have any signs of illegitimacy? By inspecting these you can avoid most of the low hanging fruit that make it past your spam filters. I recently received a (benign) spam message which I’d like to deconstruct.

Who sent you the email?

The first thing to do is verify who sent you the email. Anyone can change the name that appears in the “From” field, email adresses take a little more work to impersonate. If the email is unexpected but from a known source, let them know. Their systems may be compromised and you avoided infecting your own system by verifying. Otherwise, it may come from a very distinctly fake adress.

Email headers claiming to be Spotify but from an unrelated account, with a pressing subject line urging to update payment details today.

Assuming the sender had managed to spoof the Spotify domain I would still have been able to see that there was an issue, as the recepeint adress had never been linked to Spotify (use a password manager! they help track these things).

Check the links

Email spoofing Spotify stating that payment failed and several flaws within the content

Usually, links will point to a spoofed domain in an attempt to get PII or CC data. (DHL example here) Will has a great account to follow on Twitter for recent phishing & malware campaigns. In the DHL example, links pointed to the following domains (both are malicious!) sbankrf[.]ru/f4e9f0f6a5/online-gov/wikipedia/ and yoursplace[.]com/invoice.dlh.custumers-pm/ .
Given the initial communication suggested the message came from DHL, it can be seen that neither of the 2 domains is in any way affiliated with DHL. The first URL includes online-gov and wikipedia, neither of which are in any way affiliated with DHL. The second url uses a typo in ‘dlh’ to create the impression of affiliation.

In the case of my Spotify spam… the links pointed to Google maps, at the adress of Spotify HQ in Stockholm, Sweden. As I said, benign message.

Check the Content

Finally, if everything seems legit but you don’t want to bother your friend/colleague/business relation just yet, check the email contents. Many scams contain blatant grammar / spelling errors, with the strategy that those people who click through are more likely to also give up their banking details. Red flags in this case:

  • Spotify New Family -> At the time of writing, such a subscription did not exist.
  • This message was sent. This sentence is really weird. You would expect “sent by” or “sent from” or event “sent to [email adress]” in order to claim the sender is legit. The sentence as it is, suggests the message was sent by someone with a different primary language, rather than the automatic messages from the company.
  • Terms of Use Technical requirements Contact Us This final line, just above the Spotify HQ adress, has no links to any of those pages. In a legitimate email those would link to appropriate pages of the website / mail adresses.

What to do after the fact?

Any of the above points should provide enough verification points for the case if a message or sender are legitimate. This leaves 4 possibilities, which can be trimmed down to 2:

  • Sender is legitimate => contact sender, verify they intended the message for you.
    • If not from sender, follow as though sender is not legitimate.
  • Sender is not legitimate => flag it as spam.

In a corporate environment, it’s good to inform your IT/Security departments such that the malicious domains can be blocked and your colleagues better protected.