Rideshare OSINT - Car Based SE For Fun & Profit
Edward Miro – NorCon 4 – April 13, 2019
Did any of you see my talk at NorCon 2 a couple years ago? If you did you’ll remember that the subtitle of that talk was “Watch me have a panic attack and meltdown. Live on stage!” I was literally watching myself stammer and sweat from the 3rd person perspective for over 5 minutes but it feel like time had stopped. Once I got into the flow of things I have been told the talk was good.
That talk at NorCon 2 was on vehicle based surveillance and I was the guy that found the local FBI office and tried to interview them. I just figured maybe nobody had tried that before and a wild hacker appearing at their office might throw them for a loop. It did not.
My name is Edward Miro and I’m gonna present a talk to you all today called “Rideshare OSINT - Car Based SE For Fun & Profit”. Before I get into the main content of my talk I just want to introduce myself, share some of the projects I’m working on, my experience in INFOSEC and IT. I will be setting aside time at the end for Q&A so if you have questions during the talk, please save them for the end and I’ll do my best to answer them for you then. Also thank you to DC530, ChicoStart, Idea Fabs Labs and all the sponsors. Your local hackers appreciate you.
I have been in the world of hacking since the mid 90s. I was that teenage script kiddie running Sub7 on his helpless neighbors. Making people’s CD-Roms open randomly and making system dialogues that said “boner alert”. You know, really elite shit. I did go to tech school in 2001 and in 2002 I got my associates in computer networking and information systems. My first tech job was doing dial-up tech support for Earthlink and since I’ve spanned the full spectrum of IT work from retail based repair shops, wireless internet service providers, a few managed services providers and most recently I have begun my new quest into freelancing.
I also started hosting my own podcast and YouTube channel called the Sudo Social Club and in it each week I pick a vulnerable VM, crypto-challenge or CTF to work through. I make zero monies from it and last time I checked I have 6 subscribers on YouTube, but I’m not really doing it for that and it’s mainly to motivate me to keep learning, keep practicing and getting better. I just started getting into web app hacking and I’ve already learned so much. Also doesn’t look bad on the old resume.
I was also a mentor and judge at Hack Davis 2019 and even got to run a lockpicking workshop which was a lot of fun and the kids loved it. And like I said in my opening, I was also a speaker at NorCon 2 right here at the Idea Fab Labs. Thankfully all video evidence was lost in the great hacker beef of 2017 so nobody will ever see my shame.
At this point you might be asking yourself: “If you’ve got almost 20 years of IT experience and all these accomplishments, why did you drive for a rideshare service?” Well, some people even with full time jobs will drive on their time off to make extra cash. Personally, I had recently left a career as a federal contractor doing vehicle forensic research that really didn’t make me happy and doing rideshare was a way I could help make ends meet until I found my next thing. In a way it has led to an unexpected outcome because it has shown me to I can be independent and now that I’ve started freelancing I haven’t had to do rideshare work anymore. I’ve always dreamed of being my own boss and I’m that guy who always has business ideas I’m pitching people around me to try escape the rat race or some crazy idea that I have, but never fully going for it. This showed me I can do it. And I just want to clarify that driving for Uber or Lyft isn’t that bad. If you keep your car clean, have the social awareness and aptitude to not be super awkward, and are willing to get up early and put in the hours, you can make enough money to survive. I made minimum wage being up on sketchy roofs installing CPEs in the rain, so sitting in my comfortable car socializing with interesting people is kinda hard to shit on, in my opinion.
So that’s me in a nutshell, where I’m at and how I got here. Now I want to lay out a few definitions, some of the methodologies I used and the ethical considerations I embraced.
This is a small town. If you used Lyft from December 2018 to February of this year, there’s a really good chance some of you were my passengers. I just want to state a few things on the record:
I did not record any interactions. Audio or video. Any notes I took were completely anonymous and I never documented any PII. Honestly I only tried documenting data such as “talker”, “non-talker”, “duration” at first, but it became super clear early on that there really isn’t anything more interesting than the positive correlation between talkers and tipping. Simply put: riders who are more social and talk tend to tip better, so you awkward drivers might wanna rethink your approach.
All interactions I had with my passengers were 100% authentic and organic. This is the main reason I wanted to write and present this talk because I wasn’t really employing any “techniques” other than just being a nice and friendly guy who can hold a fun conversation and random strangers were sharing sensitive information with me. If you were one of my passengers and we had a fun and interesting chat, it was real. And I only wrote this talk as an observation of how much personal and private information riders will share in this environment and how this could be weaponized.
I don’t really know why this phenomenon is a thing. I’ve asked on Reddit and am not even sure other drivers experience this also or if it’s just me, but I kinda doubt that. Any psych people in the audience please come find me after the talk and give me your hypothesis. I tend to think people feel like the app based nature of the interaction makes it mentally drift into some grey area of the anonymous nature of the internet and since repeat riders are usually rare, they feel safe sharing and I imagine most passengers or even many in this audience have not considered that a hacker or someone with ulterior motives could be using a ridesharing app. Hopefully I can change that with this talk.
Definitions and SE101
So for those who aren’t familiar or are new to the world of hacking and cyber security, you might be wondering what social engineering is. SE is the art and practice of exploiting the human element. Almost without exception all hacks and breaches you hear about were initiated through a social engineering vector. Humans are historically the weakest link in any security program and I doubt that’s going to change anytime soon. These vectors include phishing emails, USB drives left in break rooms or parking lots, or an untrained user giving an attacker a password over the phone. The last MSP I worked for I only had one user ever ask to call me back to verify I was who I said I was so he could tell me his password. Even now doing freelance gigs I’ve never had someone check my ID.
Also, it doesn’t matter what kind of firewall your company has or how many blinky boxes are on your rack if one of your employees pops in a CD-ROM labeled “2018 salary” that they found and it opens a reverse TCP connection or installs a remote access Trojan. You also don’t need any technical proficiency if a user will just give you their password. Or if they’re using a password that is the same one as every other account they have and it’s in some pastebin dump of hacked credentials.
I learned everything I know about how to utilize and be aware of social engineering through the books of Chris Hadnagy from Social-Engineer.org, their podcast is awesome too, and the books of Kevin Mitnick. One thing I realized when reading these books was they all seem to start from an implied foundation of comfort and ability socializing with other humans. These techniques aren’t magic and if you have trouble with conversation and interacting with people they aren’t going to work.
I definitely don’t consider myself an extrovert. Speaking up here today is very difficult for me, but in one on one or small group interactions I consider myself highly capable. It wasn’t always this way and I even lost my social skills for a few years and it actually took doing rideshare to get me back in. Here’s what I mean:
Most of my youth and young adult life I was very shy. It wasn’t until I started community college and took public speaking and a handful of other communications classes that I discovered I had it in me to be socially able. I did a few plays and even participated in student government and got comfortable with public speaking. But I didn’t keep it up and slowly those skills started to fade. The past 6 years since moving here I spent most of my work and personal time behind a screen and social skills require upkeep and practice. Use it or lose it. And I did lose it. My anxiety out in public got worse. I’d try to avoid people I knew who might talk to me. I would get annoyed at Uber drivers or customer service people who were overly friendly. And I also simultaneously complained about how I wasn’t making friends. I sank into a dark place. And when I started doing ridesharing to make extra money, I was immediately aware that a majority of my passengers did want to make at least small talk with me.
So I started being friendly. Slowly but surely I was able to regain my old confidence and after 500 passengers I have a 5 star rating and the most common feedback I got is “fun conversation”. Now I really enjoy social interactions and am glad I shut up that voice who made me fear it or even get annoyed at people who were just being friendly. Humans are a social species and in my opinion it’s a preferable way to be. I know I’m just this guy, but I think I’m right.
To go back to what I said previously about most of the books and content about social engineering starting at the unstated presumption that you have basic social skills, what do you do if you don’t have that. My advice is to read the book: How to Win Friends and Influence People by Dale Carnegie. Originally published in 1936 and now in dozens of editions, this is one of the best selling books of all time and the go to book to get these skills.
And the best part to me is that it isn’t about being manipulative or about being fake or conning people. Here are the bullet points for six ways to make people like you:
Become genuinely interested in other people.
Remember that a person’s name is to that person the sweetest and most important sound in any language.
Be a good listener. Encourage others to talk about themselves.
Talk in terms of the other person’s interests.
Make the other person feel important – and do it sincerely.
And I know that these skills will be easier for some and harder for others. I studied anthropology in community college and human beings are genuinely interesting to me. But I know some you are thinking: “But I hate humans”. It might harder for you, I get that, but try. Every person I’ve met has had something interesting to teach me, or interesting experiences in their lives. You just have to listen. Most of us here love the internet because it is an unlimited resource for our curiosity and desire to learn. The people you bump into during your daily lives can be that too.
So this is all I’m going to say about socialization skills and SE 101. Check out the books and podcasts I mentioned to learn more and get started yourself.
Practicing Social Skills via Rideshare Driving
So when I started driving I knew I need to make it work until I found a new job or better way to make money so I had a few rules I always followed. I have used Uber and Lyft for years and there are things I do and don’t like that other drivers do. I don’t like when a car is dirty or smells funky or like smoke. I got that Surf Through car wash membership and that’s an easy solution. I don’t like when drivers aren’t GOOD drivers so that’s another easy thing to do. And lastly I hate when drivers lack social awareness. And that goes for both ends of the spectrum. Sometimes I just want to ride and not talk and I get someone who won’t take a hint and leave me alone, or I’ll be feeling friendly and I get someone who is awkward and won’t talk me. The way I see if the passenger is paying for the ride so they should get the level of comfort they desire. I assumed most people wouldn’t be talkative once I started driving and I couldn’t have been more wrong. Even passengers who weren’t overly chatty would at least expect a little small talk. It was a rocky start since I hadn’t realized that I lost all my social skills gained when I was younger.
Getting it back wasn’t that hard to do honestly. Using their name when they get in not only helps them confirm they are in the right car, but also feel appreciated. I smiled and had a few canned ideas on questions to ask: What’s your major? What do you do? Are you from here? I see you have [personal item], tell me about that. I’ve had some amazing conversations with random strangers during my time doing rideshare. Socializing is cool.
To sum of this section: if you want to learn social engineering you need to be comfortable and confident at socializing and dealing with humans. Doing rideshare is a great way to get a ton of social interactions quick and can be a wonderful laboratory to hone those soft skills.
Weaponizing Rideshare SE
So lets say your the kind of person who wants to gather some intel on a particular company or person. How do you use ridesharing as a potential vector? I see this vector being divided into two main paths: passive and active.
Passive intel can be gained just by driving for a rideshare company and being aware of its potential. If you are friendly, and provide a comfortable environment for your passengers they will share sensitive information. Especially if you speak their lingo and have some insider knowledge. There are probably half a dozen BIG tech companies here and as a driver I learned to pick them out based on the destination address and a great opener goes something like “Oh, based on that address you must work for…” It also really helps to drop a name or two and like most tech people in this town, I probably know someone currently or at one point at most of the tech companies here.
When I originally had the idea to write this talk, I decided that dropping names was kind of unfair scientifically, but then I revised that because any social engineer with basic skills will have done their OSINT and be able to drop names.
I’ve had passengers from all levels of the corporate ladder. From facilities staff to executives. If you know tech and have a passion like they do the conversation flows easily. And it’s not like telling a random Uber or Lyft driver what software you use at work or the latest gossip is going to hurt right?
I’ve had multiple passengers tell me more about their medical conditions that I even wanted to know. I’ve had passengers tell me their criminal histories or why I was dropping them off at a lawyer, or why they can’t drive. I’ve had people tell me about their relationships. I’ve heard people having conversations in my backseat about their infidelities, or things they’ve done to betray their friends. I had a passenger once invite me in his apartment to do, and I quote, “a shitload of cocaine”. Some people invited me to bars or restaurants they’ve worked at or wanted to exchange info to become friends.
And I’m just this random guy. All I’m doing is being nice and friendly, speaking the lingo and being interested in them. What if I was a bad guy? Do you think people are telling me things I could use against them if I was a black hat? You bet.
So on the other end of the spectrum let’s say you want to take it to the next level. For active intel an attacker could exploit the location based matching nature of ridesharing apps to implement strategic staging for targeting specific companies or individuals.
If my car is the closest one to you when you request a ride, there’s a 99% chance I’m going to get you. If I were going to employ this against an individual I would do OSINT and find out how they use ridesharing. Some people use Uber or Lyft to go to work every morning and home at the end of the day. Some people use them when going downtown on the weekends. If you can identify the target’s pattern then you can almost guarantee you’ll be matched.
One thing I want to qualify is my earlier statement that repeat rides are rare. This is true for the most part, but there are exceptions. I used to drive early in the morning to catch the commuters and I had a handful of people I’d get every day sometimes. So it wouldn’t be weird to get the same person on a regular basis. You could always have the pretext that you live a block over or something.
The same thing could be applied to specific areas of interest. If I parked out by the airport and waited, the chances I’d get someone with something interesting to me would be way higher than average. Chico has only a few main sectors you’d have to focus your attention to be successful. And like in individual targeting, if you have a specific company, park nearby and you’ll get lots of their people.
I asked r/askpsychology why they thought people were so open with rideshare drivers. Only one person responded, but their words were very interesting. Here’s my original post:
Why do my Lyft passengers share so many personal details with me?
It feels like many of my passengers share so much sensitive information with me. I’ve heard about people’s medical problems, criminal histories, romantic lives. Is there something about the driver/passenger relationship that makes people feel comfortable or that the interaction feels anonymous so they can be more free? Thoughts?
So yeah I didn’t mention anything about SE or how I try to implement what I’ve learned from Dale Carnegie, but check out this response:
When you step back and think about it, you have many qualities of a good bartender. It’s a temporary, friendly, paid, trusted relationship which is about satisfying an immediate need. But it is even more than that. There must be something about you that gives off a positive, listening vibe to your passengers. I know when I get into a car if the driver wants to be social or not. You might enjoy being social. There is something about your sincere connection to your passengers which allows them to exhale and to open up. You have an empathetic ear that makes people feel safe.
Such basic principles and techniques to enhance social encounters can have profound implications. I don’t think there’s anything innately special about me when it comes to SE, other than the fact that as a shy teenage hacker, I’ve always been cognizant of the value of having these skills. If I can learn this stuff, I think almost anyone can.
Obviously the biggest takeaway I’m hoping for here is awareness. I love that people are friendly and amenable to small talk, but you shouldn’t assume any of your interactions is anonymous. I’m not saying we should be rude or like Ron Swanson, but there should be a line.
If you’re a high value target keep in mind that that repeat driver you keep getting might not be a coincidence. If someone hires me to do a pen test on a company from here on out, I will be utilizing this method. It’s too rich of a source for me to not.
One Last Story
Before I close out my talk, I just want to tell another story that happened to me, well two stories with different endings, but it shows a different side of this coin. I am a big believer that SE doesn’t have to be inherently unethical or immoral. Yes, during a pentest you are trying to get someone to do something they shouldn’t or allow you access to somewhere you don’t belong, but if we can do it in a way that leaves them feeling positive about the interaction, then that is preferable. And sometimes it’s fun to help someone avoid a scam.
A couple months ago I was driving a passenger when she asked me offhandedly if I’d ever sent a Moneygram before. I told her I had and ask curiously why she wanted to know. She explained that she was very excited to be adopting a puppy from online and she needed to send $350 to the service that ships pets across the country. This immediately caused my hacker-sense to start tingling so I probed a bit more about the transaction.
I asked if she had spoken to the seller on the phone, and she said she hadn’t. I said that seemed weird, but she assured me that the seller said it had to do with her religion. I’m not claiming to be an expert, but I wasn’t aware of any religious prohibitions to speaking on the phone that also allowed using Craigslist, but okay. I told her that that seemed a bit fishy to me. She asserted that she thought it did too at first, but she knew it was legit because she wasn’t sending the money to the seller, it was being sent to a third party pet transportation company that the seller had had contact her. She even showed me the website of the company on her cell phone, which to be blunt, to my eyes looked extremely janky. I asked her if we could sit down for a few minutes and take a look at a few details before she sends anyone any money. She reluctantly agreed and really wanted this puppy.
The first thing I asked to look at was the emails back and forth from the seller. I checked Google and all other major social media sites for the sellers name. No matches. Couldn’t Google the sellers email address due to the Craigslist email relay system. This in and of itself might be okay, we all use pseudonyms online sometimes and Craigslist is a site you might not wanna use your real name. Fine.
She then showed me the email thread with the shipping company.
The first strange thing I noticed from the emails was the link to the pet shipping company. The name didn’t match the URL in the link. You’d think a business would be able to get their own name right. I also saw that if you Googled the name given by the shipper, it’s extremely similar to a legitimate pet shipping company and indeed that legit company comes up as the first site found due to Google “fixing” our query. When you go to the link in the email however, the site itself was terrible to my eyes, but not to my client who is not as seasoned as I am at catching scams. I also showed her that the “company” didn’t have any social media presence. At all. No Facebook, Twitter, anything. Also the email address that was contacting her was firstname.lastname@example.org
She also told me she had spoken to the shippers on the phone and I asked if she still had their number. She did, but she told me she couldn’t ever get through when she called them and they’d always have to call her back. I asked for the number and called it on my phone. It was a Google Voice number! Not only that it was set to screening mode. You know the one where it says: “Hi, the person you’re calling is using a screening service from Google, and will get a copy of this conversation. Go ahead and say your name, and why you’re calling.” She also told me when he did call her, he was rude and tried to get her to hurry up and send the money. I told her I was 100% confident this was a scam and I advised her to not go through with the deal.
At this point she was extremely unhappy, but felt it was still a legitimate transaction because she had pictures sent to her of not only the puppy, but of the puppy in the shipping crate at the shipping company waiting for payment to be shipped. She explained that it’s not like it was a person trying to sell dogs or from a puppy mill. It was a lady giving it away for free and the money was for was the shipping. She just didn’t see why a scammer would go to the trouble of doing that and felt the pictures were authentic. I asked her to save all the images to her device and then showed her a site she could use to do reverse image searches. Before she did it, I asked her if she agreed that if this wasn’t a scam those pictures wouldn’t exist anywhere on the internet. She agreed and each of the pictures was found at least 9 other places online. Her heart sank and she didn’t have any further rebuttals to my concerns. She knew it was a scam and I just saved her from losing at least $350. Not to mention that the scammer would have also asked for more money later for “shots” and “insurance”. Who knows how far they might have gotten.
So here are the main red flags:
Seller wouldn’t talk on phone Seller name didn’t seem legitimate Name of shipping company didn’t match URL in email Googling company name shows close match with legitimate company Company website very poorly designed and implemented Company has no social media presence Email address of contact at company using generic email address and not a legit domain Contact at company could only call her and she was never able to make inbound calls Phone number of company was Google Voice number Reverse image searches showed “proof” photos unoriginal
A few of the tricks used by the scammers in this scam to make it more successful:
Listed as adoption versus a sale to alleviate concern Handed off to “second party” to build legitimacy Use cute puppy pictures to appeal to emotion and overrule suspicion Counted on target not paying attention to detail Shipper established a sense of urgency
She was thankful and I told her to be very careful when anyone from online ever asks her to send money. I told her in all likelihood this was probably one person the whole time, hence why the person adopting out the dog “couldn’t talk on the phone”. They were also probably not even in this country as we know many of these scams aren’t. She did say that the shippers English wasn’t good. I also told her to make sure she shares this experience with all her friends and family. I always feel the best way to handle someone getting caught in a scam is to be on their side and never shame them. We are all susceptible to scams and social engineering and the best way to proceed is to empower them to share what they’ve learned. I also sent her a link to an article on the BBB site about these very types of scams and she was shocked how similar her experience was to the ones explained on the article.
Funny thing is a couple weeks later I had another rider that started telling me about the munchkin cat she was buying from online so I asked her all the same questions and it was beat for beat the same story. This time is was even more obvious because not only were the pictures stolen from other sites, but they were straight off Shutterstock.com. She even called the shippers on speakerphone to prove me wrong and they guy who answered said: “Oh those are the other sites stealing OUR photos.” Yeah buddy, Shutterstock is stealing your photos.
Unfortunately she was already partway into the scam cycle and had already sent them money. I suspect when I mentioned how they’ll be asking for more for “shots” and “insurance” the look she gave me probably means she’s further into the scam than she wanted to admit. She got out and still didn’t think I was right. This is the sunken cost fallacy at work here. Well a couple days later she reported a lost item through the rider app so she could send me this text:
You were right. They took me for $800.00. How much to send them a virus?
I know these last two stories had less to do the actual rideshare aspect, and more about SE awarness, but I just wanted to demonstrate that we can use our INFOSEC and SE skills for good. I took a few minutes out of my day to show these people how to see the red flags that I saw, how to do a simple reverse image search. Now they will probably show everyone they know what they know and these small acts from us can go a long way to make the world safer. It’s why you should never fire an employee that fails a phishing or pen test. That person will go on to be so vigilant after that experience and tell everyone about it.
Plus stories about individuals are much more impactful than numbers. I was listening to a podcast recently where Sam Harris was interviewing Daniel Kahneman, the American-Israeli psychologist and Nobel prize winner. He mentioned the power of framing and how there was an experiment where they were testing to see how framing affects how much people donate. If you showed a participant a picture of a single child, they donate x dollars. But if you show the child with a sibling, it goes down. A child with a sibling and parents, still more. A picture of a whole community? Less.
It seems counter-intuitive. Logically it is better to help the larger amount of people, right? Yes, but if you want people to care about a problem, framing is key. If you want the decision makers at your organization to care about your proposed security protocols, then you have to tell them stories about individuals. Just telling them how many hacks happen each year and slide decks with lots of numbers obviously isn’t working that well. Make it personal. Show them how it could happen to them. Even your friendly neighborhood rideshare driver might be a hacker. You never know.
Thank you very much.