From Email Address to Phone Number: A New OSINT Approach

good afternoon and welcome to besides Las Vegas this is breaking ground and the talk is from email address to phone number a new ocean approach by Martin Vigo so a couple of announcements before we get started we'd like to say thank you to our sponsors especially our inner circle sponsors critical stack and valid mail we also want to thank our stellar sponsors Amazon Microsoft and secure code warriors we have a lot of sponsors and donors and volunteers who without them we could not do this so big thank you to them another announcement all the talks except for underground including this one are being streamed to YouTube so please make sure your phone is on silent

and if you have questions raise your hand I'll bring the microphone over we want everyone to be able to hear you so with that let's get started thank you awesome thanks for joining me I know it's lunchtime so I'd really really appreciate that so when this talk today I wanted to talk a little bit of a new approach for doing Auslan specifically if we want to find out someone's phone number and the only thing that we have is actually his email address hmm sorry for my voice yesterday was a long night my name is Martin Vigo I used to do product security now I'm doing more red teaming I also found it a triskele security most importantly I'm from

Galicia has everyone being in Galicia before nice that's awesome sweet that you guys have pulled off ADA good good good good the others you should go and I really enjoy doing research I do scuba diving and my drink of choice is a gin tonic and this is announced throughout cpc6128 which was my first machine where I learned basic and I really love this picture is the only one I have with the computer anyway the point being is the first thing I wanted to do is to talk a little bit about privacy right we're talking about email address and phone number and this is kind of the way I look at it if we will think like what is the PII

that I want to keep private I kind of put a chart here like an email address is usually what we are comfortable giving away publishing on the Internet is the way that we communicate with strangers so to speak right I will claim that the profile picture is still on fine you know it's something that would publish a picture about us unless you were really really into privacy the age I get I start to get a little uncomfortable if that publishes some security questions relate to your birth year things of that nature and in my case a phone number we usually don't give that away you may disagree with this charge this is my personal view of it but definitely in one extreme

we have the email the email address write something that will give away the phone number not so much just to people that we know and of course on the other side of the spectrum we have their social security number which we don't give to absolutely anyone it's anyway on the Deep Web somewhere all right but in terms of security if we looked into e mailing address this is also different right think about if someone with malicious intent wants to target you and their have their email address you could think like you know this is what I came up with they can spam you or or do phishing emails to try to convince you you know to click

somewhere and drop on all day or whatever they can try to target someone that you know by spoofing your email others because they know it right and try them to get to click on something malicious but an email address if we want to target someone we can also use it to try to find password hashes we can go to websites like if I've been pound see if my account got leaked with the passwords in clear-text or that I can crack it later so that's something that someone could do if they have your email others when it comes to phone numbers some stuff is similar right I can get spam calls I can get phishing attempts we also have spoofing

in phone numbers so if someone has my phone number they can try to pretend to be me by calling someone else my my wife or so and then we get into more interesting stuff you may or may not be familiar with HLR registers but that's basically a global database that's how the phone system operates but most importantly you can query it you can put a phone number and get certain information about it nothing too crazy but you can know if a phone number is been roaming so you know that person may be out of the country you can know if that number is actually active on a carrier or is or it has been disconnected

so there may be some accounts associated to that number that you may want to try to get that number register for yourself so we start to get into a little bit more concerning stuff but then we have things like Bosma hacking I gave a talk last year about voicemail hacking at Def Con and all you need is an phone number right and you can target that and the impact is very very big because you can compromise online accounts with that and then we have fake cell towers we have SS having attacks we have sim swapping very popular we keep reading about people that gets their Bitcoin wallet strength because someone had target them with that and bypassed 2fa so these are the

differences in terms of security we saw before in privacy as to the differences between leaking your email and your leak and your phone number and what I wanted to get out is that Nick and your email is not such a big deal but if we have a way in which I can find your phone number suddenly the threat surface increases quite a lot so but in terms of usability on the right side if we have a way in which we can find someone's phone number based on their email that could be very useful for private investigators or awesome professionals right your target you may have the email address that's not difficult to find and you

want to get his his phone number because maybe you know you work for the police or whatever you can with the courier maybe get their physical location and things of that nature but for red teams as well right we may get a credentials but our victim has to avail if we will know the phone number then we can play a little bit maybe with phishing attempts to try to find a temporary code or do some more sophisticated attacks but liking everything we also have the bad side being able for someone to find your phone a phone number based on your email address it can be abused by stalkers and doctors right with worried horrible stories of of people just trying to

Doc's others and then like they ordered a million pizzas to their house or things of that nature and for spammers is bad - we all got a phone call in someone talking in Chinese threatening us with start with taxes and things of that nature at least I get it like every other day so what are the classic methodologies that we know you know you can go to public records if you are into Wallsend you know like court documents things that are public that may have your personal information there Google doors if you post it on there or not for them your phone number they may be because you were searching for something or wanted to buy something and

your account is to your email you may be able to find it people search engines the straightforward write the Spokeo or people find there or any of those you put an email address you get the phone number data like social engineering so there are a number of techniques so the purpose of this talk is just giving you another technique just say for professionals for red teamers because none of them are bulletproof so you want to have a lot of tricks in your back and you want to have a wide range of tool sets all right so I mentioned before that I did a Boltzmann hacking talk last year and I add besides actually last year I also

did another talk that was focusing on SMS what I want to say is that I spend a lot of time resetting passwords in a lot of websites for doing that research and I started to see a pattern right when I go to reset a password it usually shows me a masked phone number two which is going to send the text right that's how you usually reset passwords you get a text or you get a phone call or you get an email so but I realized this okay some websites show some the first ones author shows the second one so I started to go over different websites and see a pattern so specifically for eBay for

example it's to anyone that goes and initiates your password resets just with your email nothing else will get the first three digits and the last two for PayPal it gets the last four for Yahoo it gets the first one the last two for LastPass against they last for and for Google Twitter and kind of like what is the common thing is that you get the last two okay the problem here is we have no standardization in how to mask PII and I put this example here because I found it very interesting for PayPal if I go reset your password with your email I get five digits of your phone number if I have your password as well

I get challenged with two FA and it only shows me three so PayPal the same service shows you five digits if you only have the email and it shows you only three if you also have the password so it masks more digits for an attacker that it's way more information about you so it doesn't really make any sense right so but the true power here comes of the combination right if for example who has here an eBay in a PayPal account that's quite a lot of people and the others are probably lying so with an email address if I go reset your password in those two I will get seven out of ten digits of

your phone number for eBay in LastPass is the same case Yahoo and LastPass is the first one in the last four so you get the thing right who if we start to combine accounts we get even more digits just from your email address so when I got here I was like okay the max I got was seven out of your ten digits for us numbers right so I started to focus on which numbers I don't know rather than how many I don't know and I appreciate this from a co-worker that told me about what exchanges I'm from Spain so I didn't know much about the firm numbering system of the US and he told me about the concept of exchanges so I

started to read a lot about that so it turns out that an American number has a in Canadian number from what I've read has an area code that is the first three digits the last four digits are the subscriber number and the one in between is the exchange okay so enter the north american numbering plan administration and i started to go down the rabbit hole and learn so much about the foam numbering plan and this this is really real great I read a lot of documentation but basically the north american numbering plan administration it's a it's an administration that is in charge of a assigning phone numbers to different areas and basically taking care of how

the phone numbers are assigned in the United States in Canada the most interesting stuff if they have a public database of the area codes and it's exchanges what does it mean that an area code does not necessarily have all the possible 1,000 exchanges assigned remember we are missing only three digits that's thousand possible numbers it's actually not the case for example I live in San Francisco I have I don't I don't want to leave my phone number now but I say I have a number that starts about four one five it actually there is only 784 exchangers for that area code so I don't need to try anymore thousand phone numbers right that I'm missing from harvesting from

the services because about 200 of them are not valid because they don't have an exchange assigned for Tacoma is especially interesting case it only has five on a 458 exchanges assigned to the 253 area code that means that we got rid of over half the possible numbers that we have left because we know it's the exchanged digits and we know the area code so it can only be to a 458 possible exchanges and this is all public so we reduced from 10 billion possible numbers from someone that you don't know any digit to only 458 just by using an email in public available data but it's still quite some numbers so I went deeper into

the rabbit hole enter the National pooling administration so the way the number assigns numbers is by using the area code the exchange and that is a swoosh associated to a location that's the area code in to a carrier so for example say four one five two two zero one is assigned to Sausalito for AT&T four one five two zero two is assigned for south a little for Verizon in so like and so on right so we only have the four last digits that means that four one five two zero one it's 10,000 possible numbers the subscriber number is four digits for AT&T yeah for AT&T but socially it only has 7,000 residents if all of them will have a

phone number and all of them will have TNT which is not the case because there are also children and not everyone has a TNT we still will be wasting 3000 phone numbers but that gets even worse because again we assigned to different carriers the area coding exchange so we possibly have if there are four or five carriers in South alito we have 50,000 numbers assigned when there is only 7,000 residents the FCC noticed this and they publish a document and they suggested that the first digit of the subscriber number will be assigned as a block so instead of assigning 4 1 5 2 0 1 to AT&T and 4 1 5 2 0 2 2 verizon it will assign

4 1 5 2 0 1 1 - AT&T 4 4 1 5 2 0 1 2 - a Verizon and so on so now the blocks instead of being 10,000 they are in the thousands and so we are not wasting that many numbers and of course we can take advantage of this because the National Bullying Administration also publishes how the block numbering the block numbers are assigned to the exchanges so we can also take advantage of this at the bottom you see something what we are interested for and for the 4 1 5 - 7 2 area code plus exchange we see that only the block number 9 is actually assigned the others are retained that means that a carrier

asked for it but it's not in use in other words there is no phone number that is for 1 5 - 7 - 0 or 4 1 5 - 7 - 1 it can only be for 1 5 2 7 2 9 and random subscriber numbers make sense right so let's say our victim our target is from Tacoma ok and they have a nibble and a PayPal account like all of you I don't care how many raise their hand you all guys have that so eBay gives us the area code fantastic PayPal gives us the subscriber number great now thanks to Nampa we know that there are only 450 is exchange assigned to the area code that

eBay gives us so now we have only 458 phone numbers possible but because we have the subscriber number we can go through the those 458 exchange see if they are pulled which is the lingo for this and see if they are pulled if they have the block number nine assigned so we can further reduce the possible valid phone numbers and we got it down to four hundred forty-five numbers again just by using your email and public available data from Nampa and the National pooling Administration alright so as I mentioned that's quite significant I will I will argue that someone with with intent and time could probably call here you can automate that with services like Twilio

and you know try to find out more of the victim if that's their phone number right you can maybe use the time song or something like that but you can make four hundred calls arguably still what we want to do is find a way that was my my my intent find a way in which I could perfectly say okay this is the victims phone number so I started to think like the steps that I took till getting here right and the first thing that I did was I use your email number to go reset your password in obtained some digits because the it was masked right turns out that there are services that you can reset the

password using a phone number and get a masked email back so it's exactly the same attack vector in Reverse I have a list of 445 possible numbers and now I can use that list start to iterate over over all those resetting passwords get the masked email back correlated with the email that I have and then find out what is your phone number here it's a little bit more clear Amazon for example if I reset with a password with a phone number it will give me the first letter of your username the last one and the entire domain but the stars that it shows corresponds to the characters that have been masked so I also have the length of

the username for Twitter for example gives me the first two letters and only the first letter of the domain but I can perfectly take advantage of this because can correlate if my victim is victim USA at Martin Vigo calm it's very very likely between those 445 that a I find out the phone number right that I doubt that there is going to be two or three that have exactly the same masking and if they do I don't care because it's going to be two or three possible phone numbers any works great so what is the attack vector if I have a Nimal address I go in to different web sites and harvest from number digits initiating

the password reset for the with the victims email and you can use services like name checker and there are some services online that you will tell you from a username on an email others who in which services that person is registered next thing is we use public available data in knowledge about the phone numbering plan of the country from that you are targeting to reduce the phone numbers write the possible that there are ending with the list of the possible value for numbers that we have left we use services to go reset the password and incor elate it to the original email that we have and that's how we find out that person's the person's email so of

course this is a lot of manual work so I created a tool that will do that automatically for you alright so oh yeah the features so in closing and it harvests a I harvest a digit from using your email address right you put your email address and goes to e way to LastPass and all that stuff grabbing those digits then it helps you generate based on a mask the possible valid phone numbers by querying Nampa in the pulling administration so you can give it 4 1 5 xxx 7 9 2 3 or whatever and and it will give you the list of the possible phone numbers and then it can also go to those other services that support reset

password with a phone number and you can use proxies and stuff like that to bypass the CAPTCHA and it will give you a it will correlate the email and all that stuff that I explained and give you the possible phone number let's look at the demo all right so so oh I can't post it alright so we're gonna start our victim is victim USA at Martin Viacom right so I'm gonna use the tool with the option M scrape and that's basically what it's going to do I just needed to provide an email it goes to different services in this case it just goes to obey and LastPass just to show it for a demo purposes so it goes there

and tries to get it digits from a from those accounts so I provide with the ye option the the email of of my target and we will go there harvest all stage so it's scraping eBay so for example I'm pausing it here you get the first three digits and the last two right pressing play now and from LastPass I know that the first the last four digits is eight eight to six but I also know that it's a u.s. phone number because I realized that I will add a plus if it's a number that is not from the US so I'm trying to find everything I can because this is about awesome right you get tidbits of information and

that's how you do what you're intending to do and so in last part reports at the length of the phone number is this and this is going to be interesting for what I'm gonna explain later cool so we have the first three and the last four digits awesome so next with the tool what I'm gonna do is use the option generate and this is going to generate a dictionary of that of possible valid phone numbers for the mask that I'm providing so what I'm going to do is provide that 41 5 X X X eight eight eight to six right because I'm I got already seven out of the tank and I'm missing the three correspond to

the exchange so it's going it's downloading the the database its parsing it and it gives me a number of valid phone numbers so i reduced even further the possible phone numbers of the victim and the last thing is brute-forcing for demo purposes I'm just going to mask it in a way that I'm just that I'm just missing one digit because if not it will take a little longer so what it's going to do is gonna use I think in this case it was Amazon in order to as I explained reset the password with that Lee of possible phone numbers in this case only 10 because again I'm just masking one of the digits for them or purposes

and it will tell me we'll start to correlate and tell me possibly this is the phone number because the email and the masking of the email adds up so you see there I'm just putting one of the XS and then I make it revolt so we get it will tell you all this account doesn't exist or capture caught you or whatever and that's how we found we just found there that has the masking that I show you it matches so that's the possible phone number awesome so what about other countries here is what it gets very interesting because I'm from Spain and in Spain phone numbers are nine digits long they are not ten digits long the

u.s. is a very big country so unfortunately he gets way WAY worst is there anyone from Stony as on Salvador Iceland here or Finland from the alumni land now also lying probably there is someone so one of the things I realized was okay for you know ten digits is actually my key space right so to speak so I need to find out more about that but for countries that have shorter is it possible that it will be even easier and that's the case services like eBay and LastPass do not adjust their masking based on the length of the phone number remember eBay is leaking five digits there are countries with seven digits phone number those right there so it

will if you have an eBay in a LastPass account and you are from any of those countries your entire phone is public to anyone that has your email you see it here like I bought a phone number from Estonia it's five eight one one seven two LastPass gives me the last four eBay gives me the first three pretty pretty bad so this is a list of a countries with their phone number by length imagine like countries with oh I only have two minutes okay there are countries with fake digits that will be only hundred possible phone numbers so it goes on and on Thanks so the the tool the litter that I provided it's it's more a POC I mean ideally I put it

on gave her a couple hours ago so ideally the community starts to add support for more services and stuff like that but the true power is the choir in the the Nampa and the pooling right getting that dictionary fleece so I am working actually on an online services a website a Google style that you will put a mask it will allow you it has multi country support I found other resources that and that a public that I know more about the phone number II system of other countries most importantly advanced filters say you know that the victim has AT&T now you can click that and reduce it even further say you know that the victim had the phone number for

over two years then you are not going to count the block numbers that were assigned in the last two years because you know that that the phone number had to be older you can add filters for the the courier I mention already or if you say like oh I know he's from California he would only take into account the area codes of California things of that nature and it has historic records too because these websites are updating every month so I want to keep historic records so I'm working with this stay tuned on my Twitter and I will polish it just didn't have the time to do it recommendations very quick for online services my my recommendation okay my

recommendation is to use a customizable label instead of the of the last digits so just say like when someone resets the past where I can set up a label and you will say I will send the text to work form or whatever I set up don't-don't-don't show digits and for you guys just don't provide your phone number or use a VoIP service or something a responsible disclosure a kudos to eBay the reduce from from show in the first three of the area code just to one it's not perfect but it's much better PayPal for whatever reason they are displaying five and they say this is working out design Yahoo is still working on on the ratio mitigations and

LastPass acted immediately and reduced it to only two too long didn't read that's like how I'd like to finish my talks attackers can use your email address to obtain from number digits from one line services due to a lack of a standardization in PA I'm asking combined with publicly available information in an understanding of the countries from numbering plan it is possible to recover the entire phone number thank you very much

and I take any question say that you may have have you looked at any edge cases where the different accounts are registered with different phone numbers sorry I have you looked at me in edge cases where different accounts are registered with different phone numbers yes I looked into that actually I have to say that I put a easter egg a hollywood-style kind of blue forcing when it was scraping and you will start like to go over that but I realized that you may have different accounts so it will that's why I put it kind of more like a report right it will tell you LastPass found this and eBay found that rather than assuming that the phone

number is going to be the same and starts to do the digits so that is definitely possible that the phone number is different great talk Thanks thank you two observations that might help you take it to the next steps there are already online websites that do a good job of this for India and Pakistan that you could leverage oh and there are starting to be some for the US or you can subscribe to pay services like Spokeo comm or intelligence comm and for a few dollars a month you can either put in an email address or a phone number and it'll search all kinds of public records and give you an entire profile of the

person not as much fun is doing it yourself yeah now definitely as I mentioned that's why I put up the slice this is not the only technique I'm not discovering here it's just a new a new trick to add to your set of tricks right any other questions yeah do you find that in the in the automation that you are over sorry do you find that in the automation that any of the sites are going to start throttling the number of requests that you can issue over a period of time or that accounts are being shut down if you're I don't know that you you necessarily need to log in but but is that going to reduce the

effectiveness of the tool that's a great question two things one I only showed services that you only require the email some services like for example the I think it was TurboTax that asks you for the email for the username for example so if you have additional interview can leverage more services that's one thing second I started with eBay and I could do without a proxy 500 like after one week they probably discover that I was doing something noisy so now after ten it it blocks but with a proxy you can bypass that so it will the interesting thing here it will not lock the account because think about it I'm iterating over the over a list of phone numbers so

I'm only resetting it once try to reset the password with one phone number so it's not that I'm trying to brute force anything so because it's only trying once every phone number is not gonna lock the account right because that's just one attempt and that's the interesting thing it can only do it based on my IP right it cannot lock the account so that's why the proxies are useful VPNs and stuff like that probably behavioral if you get a little more fancy but those are things that you can possibly bypass your your talk was really great man thank you this guy an applause because it's a lot of work thank you they say all of these sites

that he brought up their back-end is actually one shared data broker it's called axiom corporation and also called live ramp so if you have an accent you these guys sell every bit of your information no matter if you try to hide or not they mark you is hidden and you're trying to hide so it's not public information anything about you your name is your property in the United States I don't know about the rest of the world now I have the percent and thank you for mentioning that because this is mostly about privacy not just security right so unfortunately how to fly over the recommendations but I have that you use dedicated phone numbers only to the

services that it's mandatory to provide it because again it's a isn't it just like a user name your phone number and it will be used to cross references among these data farming companies and stuff like that I agree all right if not I'm gonna hang out around here so please feel free I love to talk about this thank you [Applause]