2019-08-23-DEFCON27-SEVillage-RideshareOSINT

Rideshare OSINT - Car Based SE For Fun & Profit

Edward Miro – NorCon 4 – August 8, 2019

Click Here For Slide PDF

SLIDE 1

Introduction

Hey DEF CON 27. How are you? My name is Edward Miro and I’m gonna present a talk to you all today called “Rideshare OSINT - Car Based SE For Fun & Profit”. Before I get into the talk I first have to thank a lot of people back home in Chico CA: Linda Fischer and Butte College who sponsored my trip here, Wendy Porter and ChicoStart for supporting tech, cyber security, and entrepreneurship on a grassroots level, the DC530 crew and everyone involved in NorCon, Chico’s own hacker con that we’ve had for 4 years now. And of course DEF CON, the SE Village and everyone at Social-Engineer.com/org/gov. I’m honored to be able to introduce myself to this audience, at this con, and share some of the projects I’ve worked on, my voice and experience in INFOSEC and IT.

SLIDE 2

Like many of you, I have been in the world of hacking since the mid 90s. I was that teenage script kiddie running Sub7 on his helpless neighbors. Making people’s CD-Roms open randomly and making system dialogues that said “boner alert”. You know, really elite shit. I did go to tech school in 2001 and in 2002 I got my associates in computer networking and information systems. My first tech job was doing dial-up tech support for Earthlink and since I’ve spanned the full spectrum of IT work from retail based repair shops, wireless internet service providers, a few managed services providers and most recently I have begun my new quest into freelancing.

I also started hosting my own podcast and YouTube channel called the Sudo Social Club and in it I talk about basic cyber security concepts, awareness and sometimes dabble in CTFs or crypto challenges. Last time I checked I have 15 subscribers on YouTube, but I’m not really doing it for that and it’s mainly to motivate me to keep learning, keep practicing and getting better. And to try to share what I’ve learned and give back to the community.

I was also a mentor and judge at Hack Davis 2019 and even got to run a lockpicking workshop which was a lot of fun and the kids loved it. I was also a speaker at NorCon 2 and 4 back home. My first time speaking was pretty cringey. I still remember being fully aware that I was having a panic attack for the first 3 minutes or so and narrating it to the audience. Thankfully all video evidence was lost in the great Chico hacker beef of 2017 so nobody will ever see my shame. That talk at NorCon 2 was on vehicle based surveillance and I was the guy that found the local FBI office and tried to interview them. I just figured maybe nobody had tried that before and a wild hacker appearing at their office might throw them for a loop. They came on the intercom and seemed so confused that some rando was ringing their doorbell. I also did some rideshare work before I started freelancing.

SLIDE 3

At this point you might be asking yourself: “If you’ve got almost 20 years of IT experience and all these accomplishments, why did you drive for a rideshare service?” Well, some people even with full time jobs will drive on their time off to make extra cash. Personally, I had recently left a career as a federal contractor doing vehicle forensic research that really didn’t make me happy and doing rideshare was a way I could help make ends meet until I found my next thing. And I just want to clarify that driving for Uber or Lyft isn’t that bad. If you keep your car clean, have the social awareness and aptitude to not be super awkward, and are willing to get up early and put in the hours, you can make enough money to survive. I worked for a WISP a few years ago made minimum wage being up on sketchy roofs installing CPEs in the rain, so sitting in my comfortable car socializing with interesting people is kinda hard to shit on, in my opinion.

So that’s me in a nutshell, where I’m at and how I got here. Now I want to lay out a few definitions, some of the methodologies I used and the ethical considerations I embraced.

Chico is a small town. If you used Lyft from December 2018 to February of this year, there’s a really good chance some of you who might see this talk were my passengers. I just want to state a few things on the record:

I did not record any interactions. Audio or video. Any notes I took were completely anonymous and I never documented any PII. Honestly I only tried documenting data such as “talker”, “non-talker”, “duration” at first, but it became super clear early on that there really isn’t anything more interesting than the positive correlation between talkers and tipping. Simply put: riders who are more social and talk tend to tip better, so you awkward drivers might wanna rethink your approach.

All interactions I had with my passengers were 100% authentic and organic. This is the main reason I wanted to write and present this talk because I wasn’t really employing any “techniques” other than just being a nice and friendly guy who can hold a fun conversation and random strangers were sharing sensitive information with me. If you were one of my passengers and we had a fun and interesting chat, it was real. And I only wrote this talk as an observation of how much personal and private information riders will share in this environment and how this could be weaponized.

I don’t really know why this phenomenon is a thing. I’ve asked on Reddit and am not even sure other drivers experience this also or if it’s just me, but I kinda doubt that. Any psych people in the audience please come find me after the talk and give me your hypothesis. I tend to think people feel like the app based nature of the interaction makes it mentally bleed into some grey area of the anonymous nature of the internet and since repeat riders are usually rare, they feel safe sharing and I imagine most passengers or even many in this audience have not considered that a hacker or someone with ulterior motives could be using a ridesharing app. Hopefully I can change that with this talk.

SLIDE 4

I learned everything I know about how to utilize and be aware of social engineering through the books of Chris, the podcast is awesome too, and these books. One thing I realized when reading these books was they all seem to start from an implied foundation of comfort and ability to socialize with other humans. These techniques aren’t magic and if you have trouble with conversation and interacting with people they aren’t going to be a magic bullet.

I definitely don’t consider myself an extrovert. Speaking up here today is a fun challenge, but in one on one or small group interactions I consider myself highly capable.

Most of my youth and young adult life I was very shy. It wasn’t until I started college and took public speaking and a handful of other communications classes that I discovered I had it in me to be socially able. I even did a few plays and participated in student government and got fairly comfortable with public speaking.

To go back to what I said previously about most of the books and content about social engineering starting at the unstated presumption that you have basic social skills: what do you do if you don’t have that? I know so many other people who work in IT or security who haven’t had the opportunities I had and books on SE can overlook the starting state of a percentage of it’s readers.

SLIDE 5

My advice is to read the book: How to Win Friends and Influence People by Dale Carnegie. Originally published in 1936 and now in dozens of editions, this is one of the best selling books of all time and go to book to get these skills.

And the best part to me is that it isn’t about being manipulative or about being fake or conning people. Here are the bullet points for six ways to make people like you:

SLIDE 6

Become genuinely interested in other people.
Smile.
Remember that a person’s name is to that person the sweetest and most important sound in any language.
Be a good listener. Encourage others to talk about themselves.
Talk in terms of the other person’s interests.
Make the other person feel important – and do it sincerely.

And I know that these skills will be easier for some and harder for others. I studied anthropology in community college and human beings are genuinely interesting to me. But I know some you are thinking: “But I hate humans”. It might harder for you, I get that, but try. Every person I’ve met has had something interesting to teach me, or interesting experiences in their lives. You just have to listen. Most of us here love the internet because it’s an unlimited resource for our curiosity and desire to learn. The people you bump into during your daily lives can be that too.

So this is all I’m going to say about socialization skills. Check out the books and podcasts I mentioned to learn more and get started yourself.

SLIDE 7

Practicing Social Skills via Rideshare Driving

So when I started driving I knew I need to make it work until I found a new job or better way to make money so I had a few rules I always followed. I have used Uber and Lyft for years and there are things I do and don’t like that other drivers do. I don’t like when a car is dirty or smells funky or like smoke. I got a car wash membership and that’s an easy solution. I don’t like when drivers aren’t GOOD drivers so that’s another easy thing to do. And lastly I hate when drivers lack social awareness. And that goes for both ends of the spectrum. Sometimes I just want to ride and not talk and I get someone who won’t take a hint and leave me alone, or I’ll be feeling friendly and I get someone who is awkward and won’t talk me. The way I see it is if the passenger is paying for the ride, they should get the level of comfort they desire. I assumed most people wouldn’t be talkative once I started driving and I couldn’t have been more wrong. Even passengers who weren’t overly chatty would at least expect a little small talk. It was a rocky start since I hadn’t realized that I lost all my social skills gained when I was younger.

Getting it back wasn’t that hard to do honestly. Using their name when they get in not only helps them confirm they are in the right car, but also feel appreciated. I smiled and had a few canned ideas on questions to ask: What’s your major? What do you do? Are you from here? I see you have [personal item], tell me about that. I’ve had some amazing conversations with random strangers during my time doing rideshare. Socializing is cool guys.

To sum of this section and finally make my point: if you want to learn social engineering you need to be comfortable and confident at socializing and dealing with humans. Doing rideshare is a great way to get a ton of social interactions quick and can be a wonderful laboratory to hone those soft skills.

Now being the type of guy who speaks at hacker cons and reads shady books on SE, I see security threats in many aspects of life that the standard users don’t. It took me all of a week before I realized something interesting was happening here. That’s what makes us hackers right? We see patterns, flaws, vulnerabilities. Different and unintended ways of using a thing. How to use a system against itself. And how it could be used against us. So I started experimenting.

SLIDE 8

Weaponizing Rideshare SE

So lets say your the kind of person who wants to gather some intel on a particular company or person. How do you use ridesharing as a potential vector? I see this as being divided into two main paths: passive and active.

Passive:

Passive intel can be gained just by driving for a rideshare company and being aware of its potential. If you are friendly, and provide a comfortable environment for your passengers they will share sensitive information. Especially if you speak their lingo and have some insider knowledge. There are probably half a dozen BIG tech companies where I live and as a driver I learned to pick them out based on the destination address and a great opener goes something like “Oh, based on that address you must work for…” It also really helps to drop a name or two and like most tech people in my town, I probably know someone currently at or at one point at most of the tech companies there.

When I originally had the idea to write this talk, I decided that dropping names was kind of unfair scientifically, but then I revised that because any social engineer with basic skills will have done their OSINT and be able to drop names.

I’ve had passengers from all levels of the corporate ladder. From facilities staff to executives. If you know tech and have a passion like they do the conversation flows so easily. And it’s not like telling a random Uber or Lyft driver what software you use at work or the latest gossip is going to hurt right?

I’ve had multiple passengers tell me more about their medical conditions that I even wanted to know. I’ve had passengers tell me their criminal histories or why I was dropping them off at a lawyer, or why they can’t drive. I’ve had people tell me about their relationships. I’ve heard people having conversations in my backseat about their infidelities, or things they’ve done to betray their friends. I had a passenger once invite me in his apartment to do, and I quote, “a shitload of cocaine”. Some people invited me to bars or restaurants they’ve worked at or wanted to exchange info to become friends.

And I’m just this random guy. All I’m doing is being nice and friendly, speaking their lingo and being interested in them. What if I was a bad guy? Do you think people are telling me things I could use against them?

Active:

So on the other end of the spectrum let’s say you want to take it to the next level. For active intel an attacker could exploit the location based matching nature of ridesharing apps to implement strategic staging for targeting specific companies or individuals. Phew!

If my car is the closest one to you when you request a ride, there’s a 99% chance I’m going to get you. If I were going to employ this against an individual I would do OSINT and find out how they use ridesharing. Some people use Uber or Lyft to go to work every morning and home at the end of the day. Some people use them when going downtown on the weekends. If you can identify the target’s pattern then you can almost guarantee you’ll be matched.

One thing I want to qualify is my earlier statement that repeat rides are rare. This is true for the most part, but there are exceptions. I used to drive early in the morning to catch the commuters and I had a handful of people I’d get every day sometimes. So it wouldn’t be weird to get the same person on a regular basis. You could always have the pretext that you live a block over or something.

The same thing could be applied to specific areas of interest. If I parked out by our airport and waited, the chances I’d get someone with something interesting to me would be way higher than average. Chico has only a few main tech/industrial sectors you’d have to focus your attention to be successful. And like in individual targeting, if you have a specific company, park nearby and you’ll get lots of their people.

SLIDE 9

Conclusions

I asked r/askpsychology why they thought people were so open with rideshare drivers or at least THIS rideshare driver. Only one person responded, but their words were very interesting. Here’s my original post:

SLIDE 9b

Why do my Lyft passengers share so many personal details with me?

It feels like many of my passengers share so much sensitive information with me. I’ve heard about people’s medical problems, criminal histories, romantic lives. Is there something about the driver/passenger relationship that makes people feel comfortable or that the interaction feels anonymous so they can be more free? Thoughts?

So yeah I didn’t mention anything about SE or how I try to implement what I’ve learned from Dale Carnegie, but check out this response:

SLIDE 9c

When you step back and think about it, you have many qualities of a good bartender. It’s a temporary, friendly, paid, trusted relationship which is about satisfying an immediate need. But it is even more than that. There must be something about you that gives off a positive, listening vibe to your passengers. I know when I get into a car if the driver wants to be social or not. You might enjoy being social. There is something about your sincere connection to your passengers which allows them to exhale and to open up. You have an empathetic ear that makes people feel safe.

Such basic principles and techniques to enhance social encounters can have profound implications. I don’t think there’s anything innately special about me when it comes to SE, other than the fact that as a shy teenage hacker, I’ve always been cognizant of the value of having these skills. If I can learn this stuff, I think almost anyone can.

Obviously the biggest takeaway I’m hoping for here is awareness. I love that people are friendly and amenable to small talk, but you shouldn’t assume any of your interactions are anonymous. I’m not saying we should be rude or like Ron Swansons, but there should be a line.

If you’re a high value target keep in mind that that repeat driver you keep getting might not be a coincidence.

SLIDE 10

One Last Story

Before I close out my talk, I just want to tell another story that happened to me, well two stories with different endings, but it shows a different side of this coin. I am a big believer that SE doesn’t have to be inherently unethical or immoral. Yes, during a pentest you are trying to get someone to do something they shouldn’t or allow you access to somewhere you don’t belong, but if we can do it in a way that leaves them feeling positive about the interaction, then that is preferable. And sometimes it’s fun to help someone avoid a scam.

During my time with Lyft I was driving a passenger when she asked me offhandedly if I’d ever sent a Moneygram before. I told her I had and ask curiously why she wanted to know. She explained that she was very excited to be adopting a puppy from online and she needed to send $350 to the service that ships pets across the country. This immediately caused my hacker-sense to start tingling so I probed a bit more about the transaction.

I asked if she had spoken to the seller on the phone, and she said she hadn’t. I said that seemed weird, but she assured me that the seller said it had to do with her religion. I’m not claiming to be an expert, but I wasn’t aware of any religious prohibitions to speaking on the phone that also allowed using Craigslist, but okay. I told her that that seemed a bit fishy to me. She asserted that she thought it did too at first, but she knew it was legit because she wasn’t sending the money to the seller, it was being sent to a third party pet transportation company that the seller had had contact her. She even showed me the website of the company on her cell phone, which to be blunt, to my eyes looked extremely janky. I asked her if we could sit for a few minutes and take a look at a few details before she sends anyone any money. She agreed but really REALLY wanted this puppy.

The first thing I asked to look at was the emails back and forth from the seller. I checked Google and all other major social media sites for the sellers name. No matches. Couldn’t Google the sellers email address due to the Craigslist email relay system. This in and of itself might be okay, we all use pseudonyms online sometimes and Craigslist is a site you might not wanna use your real name. Fine.

She then showed me the email thread with the shipping company.

The first strange thing I noticed from the emails was the link to the pet shipping company. The name didn’t match the URL in the link. You’d think a business would be able to get their own name right. I also saw that if you Googled the name given by the shipper, it’s extremely similar to a legitimate pet shipping company and indeed that legit company comes up as the first site found due to Google “fixing” our query. When you go to the link in the email however, the site itself was terrible to my eyes, but not to my client who is not as seasoned as I am at catching these kinds of scams. I also showed her that the “company” didn’t have any social media presence. At all. No Facebook, Twitter, anything. Also the email address that was contacting her was reallylongcompanyname@outlook.com

She also told me she had spoken to the shippers on the phone and I asked if she still had their number. She did, but she told me she couldn’t ever get through when she called them and they’d always have to call her back. I asked for the number and called it on my phone. It was a Google Voice number! Not only that it was set to screening mode. You know the one where it says: “Hi, the person you’re calling is using a screening service from Google, and will get a copy of this conversation. Go ahead and say your name, and why you’re calling.” She also told me when he did call her, he was rude and tried to get her to hurry up and send the money. I told her I was 100% confident this was a scam and I advised her to not go through with the deal.

At this point she was extremely unhappy, but felt it was still a legitimate transaction because she had pictures sent to her of not only the puppy, but of the puppy in the shipping crate at the shipping company waiting for payment to be shipped. She explained that it’s not like it was a person trying to sell dogs or from a puppy mill. It was a lady giving it away for free and the money was for was the shipping. She just didn’t see why a scammer would go to the trouble of doing that and felt the pictures were authentic. I asked her to save all the images to her device and then showed herhow to do reverse image searches. Before she did it, I asked her if she agreed that if this wasn’t a scam those pictures wouldn’t exist anywhere on the internet. She agreed and each of the pictures was found at least 9 other places online. Her heart sank and she didn’t have any further rebuttals to my concerns. She knew it was a scam and I just saved her from losing at least $350. Not to mention that the scammer would have also asked for more money later for “shots” and “insurance”. Who knows how far they might have gotten.

SLIDE 11

So here are the main red flags:

Seller wouldn’t talk on phone Seller name didn’t seem legitimate Name of shipping company didn’t match URL in email Googling company name shows close match with legitimate company Company website very poorly designed and implemented Company has no social media presence Email address of contact at company using generic email address and not a legit domain Contact at company could only call her and she was never able to make inbound calls Phone number of company was Google Voice number Reverse image searches showed “proof” photos unoriginal

SLIDE 12

A few of the tricks used by the scammers in this scam to make it more successful: Listed as adoption versus a sale to alleviate concern Handed off to “second party” to build legitimacy Use cute puppy pictures to appeal to emotion and overrule suspicion Counted on target not paying attention to detail Shipper established a sense of urgency

She was thankful and I told her to be very careful when anyone from online ever asks her to send money. I told her in all likelihood this was probably one person the whole time, hence why the person adopting out the dog “couldn’t talk on the phone”. They were also probably not even in this country as we know many of these scams aren’t. She did say that the shippers English wasn’t good. I also told her to make sure she shares this experience with all her friends and family and not to be embarrassed. I always feel the best way to handle someone getting caught in a scam is to be on their side and never shame them. We are all susceptible to scams and social engineering and the best way to proceed is to empower them to share what they’ve learned. I also sent her a link to an article on the BBB site about these very types of scams and she was shocked how similar her experience was to the ones explained on the article.

Funny thing is a couple weeks later I had another rider that started telling me about the munchkin cat she was buying from online so I asked her all the same questions and it was beat for beat the same story. This time is was even more obvious because not only were the pictures stolen from other sites, but they were straight off Shutterstock.com. She even called the shippers on speakerphone to prove me wrong and they guy who answered said: “Oh those are the other sites stealing OUR photos.” Yeah buddy, Shutterstock is stealing your photos.

Unfortunately she was already partway into the scam cycle and had already sent them money. I suspect when I mentioned how they’ll be asking for more for “shots” and “insurance” the look she gave me probably means she’s further into the scam than she wanted to admit. She got out and still didn’t think I was right. This is the sunken cost fallacy at work here. Well a couple days later she reported a lost item through the rider app so she could send me this text:

SLIDE 13

You were right. They took me for $800.00. How much to send them a virus?

SLIDE 14

Closing

I know these last two stories had less to do the actual rideshare aspect, and more about SE awareness, but I just wanted to demonstrate that we can use our INFOSEC and SE skills for good in random interactions. I took a few minutes out of my day to show these people how to see the red flags that I saw, how to do a simple reverse image search. Now they will probably show everyone they know what they know and these small acts from us can go a long way to make the world safer. It’s why you should never fire an employee that fails a phish or pen test. That person will go on to be so vigilant after that experience and tell everyone about it.

Plus stories about individuals are much more impactful than numbers. I was listening to a podcast recently where the guest mentioned the power of framing and how there was an experiment where they were testing to see how framing affects how much people donate. If you showed a participant a picture of a single child, they donate x dollars. But if you show the child with a sibling, it goes down. A child with a sibling and parents, still more. A picture of a whole community? Less.

It seems counter-intuitive. Logically it is better to help the larger amount of people, right? Yes, but if you want people to care about a problem, framing is key. If you want the decision makers at your organization to care about your proposed security protocols, then you have to tell them stories about individuals. Just telling them how many hacks happen each year and slide decks with lots of numbers obviously isn’t working that well. Make it personal. Show them how it could happen to them. Even your friendly neighborhood rideshare driver might be a hacker. You never know.

SLIDE 15

Thank you very much.