This week in the OSINTEditor Sunday Briefing, how to turn a game into an OSINT tool, the InVid tool to fight disinformation, PLA airbase construction, and Grifthorse, the fleeceware campaign that keeps on grifting.  

WeVerify: InVid

Creating disinformation is relatively easy: find a dramatic video, copy and paste that video out of context and give it a viral narrative. Sometimes these videos are relatively easy to debunk by finding the original source. However, researchers often only catch these videos after thousands of eyes have been on them; thousands of eyes which will not believe, or see, the debunking. Videos that mix different details or take an obscure not previously uploaded video can be more difficult to debunk.

InVid is a tool which streamlines the debunking of dis-contextualised videos while also drawing on video rights and extracting metadata to identify who the original owner of a video might be. To repeat an often-discussed theme, that metadata is helpful for establishing disinformation network analysis by identifying the original video owner. The tool also captures keyframes from a video and will reverse search those images on multiple search platforms to determine if the video is being repurposed, or where else it might appear.

InVid can contextualise and analysis YouTube, Facebook, and Twitter links. For those who are just beginning to use the tool, the Assistant page will offer suggestions for the best tools to analyse a link. For educators, there is even a classroom function that allows for the instruction of digital literacy and games to teach students how to identify mis-disinformation!

InVid is a project of the European Union Horizon 2020 Research. For full disclosure, some tools are locked behind a researcher-wall. There is no charge for these tools, but it is closed access for now. As part of a professional training course, the teams at WeVerify and the Knight School of Journalism offered the research tools to students. I do not have any beneficiary affiliation with these institutions.

Pokémon Go! OSINT by Sinwindie from SecJuice

There is a joke to be made here about Detective Pikachu, but I will let someone else make it. Although Pokémon Go! is now an older game, it is still very much a played game across the globe. Certainly COVID-19 has also halted the progression of play. Yet, this two-part series from Sinwindie is an excellent resource on how to exploit Pokemon Go!, and other such games, for OSINT.

The investigation techniques in the first article are more for professional and business OSINT matters; not generally for the public. Even in the OSINT world, there are not too many reasons a researcher needs to know someone’s general gaming or movement habits. This may, however, be beneficial for finding missing persons (see TraceLabs for more on this type of OSINT) and investigators. Augmented Reality games offer an in-depth look into screenshots and movement history of people. These are not readily a matter of security concerns for end-users (although they should be). The second article details more user-interaction that may cross certain OSINT ethical lines. Despite the interaction, the article is still very effective at highlighting potential security concerns, and how to tap into interactive social games.  

GriftHorse: The Android Fleeceware Campaign that has Stolen Millions (and counting)

GriftHorse is a newly identified form of mobile fleeceware – a type of malware that signs the user up for a subscription and continues to charge their credit card after the user deletes the app – that has plagued European markets for nearly a year. Fleeceware apps commonly hide as utility apps on the Google Play store, as well as third-party app stores (they are a problem on Apple, but stricter store guidelines have prevented proliferation of fleeceware). A user will install, for instance, a ‘calculator’ app. The GriftHorse malware then sends a pop-up notification from the app to the user for a ‘prize’ that must be redeemed ‘immediately’. The notification re-directs the user to a website where they will input their phone number for verification; instead, this service charges their number for a premium SMS subscription service that runs around 36 Euros a month.

However, this campaign has targeted thousands of victims and stolen millions of euros. The campaign was global, and ran in over 70 countries, making particular efficient use of language. The re-directed URL will use Geolocation to determine which language should be used, giving credence to a social engineering trick that often fails due to poor language localisation. The screenshots are well-designed and colourful, without unnecessary frills or large letters that are usually associated with ‘scams’. There is no ‘feature’ of the Android and Google device that is exploited; the fleeceware runs a social-engineering trick and hacks the human.

Source: Zimperium

The most concerning part of this is that Zimperium identified 200 apps used in this campaign, most which went unidentified as fleeceware by Google (a full list can be found within the Zimperium blog). Many are still present on third-party app stores. The infrastructure is telling of how efficient and ‘credible’ scams have become. The scammers localised the apps, taking advantage of translators, ‘simulator’ type games, photo editors, religious apps, and even using credible brands such as the Forza car-racing games and KFC. Although there is no ‘advanced’ malware used, the time spent localising these features and app displays (many of these apps do not even have functionality), is a step-up for fleeceware trojans. These campaigns have been a persistent problem over the past two-years, and prey on game apps that may get unwitting kids to subscribe and charge their parents credit card hundreds of dollars a month. Google has taken steps to cut down on Fleeceware, and are generous with refunding, although that step requires users to pay attention to their credit card bill.  

Fleeceware is not exactly disinformation, but it preys on many of the same vulnerabilities which disinformation does. While GriftHorse might be unrealistic and an immediate alarm to many, the trick of hiding it in ‘utility apps’ relies on lowering awareness. Utility apps are often not needed until someone needs a very specific app in an urgent situation; sending them a scam notification in this inattentive state of mind is where the trick lies. Furthermore, elderly people or teenagers may not be aware of the prevalence of a fleeceware, or how unrealistic it is for their calculator app to give them an app. Tragically, GriftHorse also targeted poorer countries where a 36 Euro charge on a phone bill could be devastating. These countries, where smartphone usage is becoming more standard, have not been equipped with digit literacy or cyber hygiene education. Widespread, global, and thorough education on digital literacy must become standard practice to help halt digital crimes and disinformation.

The Construction of Longtian, Huian, and Zhangzhou Airbases by Detresfa_ on The Drive

This is the part of the article where I usually share a classic map highlighting neat geography. Instead, there is another important article from The Drive by OSINT analyst Detresfa_ to share. The image below from The Drive highlights construction on three PLA Airbases across the Taiwan Strait. The article details in full the construction on the three airbases and is a stark revelation of the steps that Beijing is taking to build up a military presence and aggression towards Taiwan.

Source: Detresfa_ via The Drive