Open in app

Sign in

Write

Sign in

Traps used by cyber detectives…

Igor S. Bederov
6 min readApr 17, 2022

--

Atypical methods of identifying Internet users have always attracted special attention from law enforcement agencies, private detectives and security officials. Today we will reveal some of these techniques.

Let’s start with logging, or rather, those techniques that will allow you to hide its implementation. Let me remind you that logging involves fixing (logging) data about devices connecting to a specific web resource. In other words, getting data about the connection (ip-address, provider, city) and device (model, operating system, browser version, etc.) of the user.

If your logger is presented as a regular hyperlink, then the obvious way to disguise it is to use one of the link shortening services:
https://clck.ru/
http://bit.do/
https://bitly.com/
https://www.lnnkin.com/

In addition, the link logger can be masked using the redirect function (or redirect imitation) through popular social networks. For example, for the social network VKontakte, such a link will look like this: https://vk.com/away.php?to=LOGER-LINK_HERE. For YouTube, a redirect can be simulated using the service: https://webresolver.nl/tools/iplogger. The use of a redirect through a legitimate portal is justified by the fact that most users do not study the entire hyperlink. They are limited to the fact that the domain name specified at the beginning belongs to a legitimate web resource.

Logging can be hidden by embedding the logger in an Office document. This allows you to do such public services as:
http://canarytokens.org/
https://www.locklizard.com/track-pdf-monitoring/
http://www.mailtracking.com/mailtracking/pmdoctrack.asp
The investigator should generate the required file and send it to the identified user. After the latter opens the file, statistics will become available to the investigator, including data about the user’s device.

Another covert logging technique can be to host the logger on an external website. Sites imitating news portals work best here. One of the easiest ways to do this is to post intriguing news using the Telegra.ph service, which has an invisible IPlogger. To embed the code from the https://iplogger.com/ service into an article, click on the embed code icon <>, paste the resulting link and press Enter.

Similar functionality is offered by the Telegram bot @FakeSMI_bot, which also allows you to generate any news that has a built-in logger, allegedly published on the website of one of the largest media.

The popular service for creating toolbars and link collections start.me can also be used as a trap for a cyberdetective. The start.me service allows you to place external code on the page, incl. code of an invisible logger created in iplogger.com.

The use of an external website, in addition to standard logging, opens up opportunities for a cyberdetective to establish user social accounts using clickjacking (social phishing) technology. This technology involves hidden authorization on an external web resource through a profile on a social network. To use it, you need to install a special script on the website, which is offered by a number of marketing companies:
https://socfishing.com/
http://soceffect.ru/
https://dmp.one/
https://wantresult.com/
https://my.lptracker.ru/

The logging capabilities through an external website can also be enhanced by the ability to get the user’s geolocation using the HTML5 Geolocation API. Examples of such solutions are already presented:
https://github.com/thewhiteh4t/seeker
https://github.com/jofpin/trape
https://github.com/cryptomarauder/TrackUrl
https://iplogger.ru/location-tracker/
The downside is that the HTML5 Geolocation API requires consent to provide accurate geolocation data from GPS, LBS, WiFi. I won’t tell you how to get around the need to obtain the user’s consent — this is the author’s technique.

Logging via email. Indeed, what could be more convenient? Sent an email to an identifiable user and are waiting for the result. Several services work this way:
https://www.readnotify.com/
https://www.getnotify.com/
http://www.didtheyreadit.com/
True, it is worth saying that their effectiveness today is extremely low. This is due to the fact that modern mail services block tracking modules.

Luckily, we have a service http://canarytokens.org/ and its function to generate a token for “unique email adress”. This feature allows you to get the connection and device information of the sender of an email to the mailbox TOKEN@canarytokens.org. You can also connect your domain name to Canarytokens, which can be done using a ready-made Doker image. This will allow you to secretly identify all email senders to your address.

We are gradually moving from logging to other methods. Now we will talk about establishing a mobile phone number or geolocation of a Telegram user. To identify Telegram users, special trap bots are used that receive a phone number or geolocation of their user under the guise of registering or making a search request. Examples of such bots: @addprivategroup_bot, @protestchat_bot, @TgDeanonymizer_bot, @TelpoiskBot_bot, @cryptoscanning_bot, @Checknumb_bot, @LBSE_bot, @GetCont_bot. There is even a similar trap bot constructor available: https://github.com/lamer112311/Dnnme2.

Similar tricks can be applied to any other online service. So, if the identified user has pre-installed Skype, VK or WhatsApp mobile applications, then you can generate a hyperlink to automatically call or send a message from his profile to the profile of a cyberdetective.
<a href=”https://wa.me/PHONE_NUMBER?text=write_text_here!">message in WhatsApp</a>
<a href=”skype:LOGIN?call”>call in Skype</a>
<a href=”https://vk.com/call?id=ID">call in VK</a>

If a cyberdetective has direct online communication with an identifiable user, then he can ask him to send the results of Yandex search results. The fact is that the hyperlink generated during a search query in Yandex contains the lr= parameter. Parameter “lr=” or location region. Next, the cyberdetective can check the received data with the region numbering database located at https://yandex.ru/dev/xml/doc/dg/reference/regions.html. Or it can be easier to do by substituting the desired “lr=” parameter into the hyperlink https://yandex.ru/search/?text=Weather&lr=XXXX. The weather forecast for the region you are looking for will appear in the output.

I came across an interesting GPS tracker https://osmodroid.ru, https://osmo.mobi/app project that allows you to get a digital fingerprint of the device that tracks the track. How can this be used for surveillance? We create a track, it can be fake, we give a link to it to an identifiable user. When he connects, we will receive data about his IP address and device.

… join my Medium Blog https://medium.com/@ibederov_en, Facebook https://www.facebook.com/ibederov.en/ or Telegram https://t.me/ibederov_en!

Osint
Detective
Trap
Cybersecurity
Cybercrime

--

--

Igor S. Bederov

Written by Igor S. Bederov

2.5K Followers

Sherlock Holmes of the digital age… Join my Telegram https://t.me/ibederov_en!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams