What is OSINT and How are Cybercriminals Using It

ByKevin Bellah Updated on
Geek insider, geekinsider, geekinsider. Com,, what is osint and how are cybercriminals using it, business

Imagine you’ve just returned from a work conference. You’re catching up on your email inbox when you suddenly receive a message from the conference organizers thanking you for attending and letting you know they have a special offer for executives in your area: “$500 off next year’s conference if you register today!”

You found the conference content extremely valuable and were already thinking about attending next year, so you click the link, fill out the registration information, provide your credit card information, and get back to cleaning out your inbox. Only later, when you notice you never received a confirmation email, do you start to think that something might be wrong.

The scenario I’ve just described has all the markings of a common phishing scam crafted by a cybercriminal using OSINT, or Open Source Intelligence.

“In layman’s terms, OSINT involves using public sources of information to generate intelligence,” explains Marcelo Barros, Global Markets Leader of Hacker Rangers. “Specifically in the virtual world, OSINT involves leveraging publicly available information on the Internet to obtain findings, collect evidence, or, unfortunately, in the case of cybercriminals, craft more convincing scams to trick victims.”

Barros, an IT veteran passionate about cybersecurity, has assisted clients worldwide with developing and deploying cutting-edge cybersecurity solutions. The Hacker Rangers platform enhances cybersecurity programs by providing online computer security training. It leverages gamification to make cyber awareness fun and engaging for organizations, ensuring employees stay up-to-date on the latest cybersecurity threats and the most effective ways to neutralize them.

In the example outlined above, the cybercriminals behind the phishing scam may have used OSINT drawn from the victim’s LinkedIn account, which revealed that they were at a conference and enjoyed their time there. From that point, cybercriminals could have identified the company where they worked and found their address on its website. All of the information needed to elevate the effectiveness of the attack was publicly available online, which makes OSINT attacks so popular with cybercriminals.

The evolution of OSINT

Utilizing OSINT to gain a deeper understanding of an individual is not a new practice. It’s been widely used in the law enforcement community for decades to conduct investigations.

As social media usage exploded in the online world, OSINT became easier. Criminals quickly figured out how publicly available information could be used for malicious purposes and adopted the techniques used for law enforcement and other legitimate activities.

Common OSINT schemes

A standard phishing attack typically uses email or text messages to entice people to share personal and sensitive information. Spear phishing is a unique type of phishing attack that focuses on a carefully chosen target by leveraging information that is unique to that target.

“Applying specific OSINT tools, criminals can craft even more effective phishing campaigns by obtaining in-depth information about a specific victim,” Barros explains.

While spear phishing requires more work than a bulk phishing attack, it is considered a much more effective technique. A recent study reveals that 50 percent of organizations studied were victims of spear phishing in 2022, with a typical organization receiving five highly personalized spear phishing email messages each day. While those numbers are relatively low in terms of overall attacks, representing only 0.1 percent of all email-based attacks, they were responsible for 66 percent of all security breaches.

OSINT is also used to fuel business email compromise (BEC) attacks, which involve fraudulent email messages made to look like they originated within a company. Cybercriminals using BEC attacks commonly pose as one of the company’s executives or other employees to request team members initiate a transfer of funds or other sensitive information to fraudulent accounts.

OSINT supports BEC attacks by collecting information that makes the requests seem more credible. For example, cybercriminals might target a company renovating its office space by staging a BEC attack that requests money be sent to an account to pay for supplies or services supporting the work.

Steps for thwarting OSINT attacks

Social media networks have adopted strategies to discourage OSINT activities, including terms of service that strictly prohibit the scraping of data from users' profiles. Most networks also provide users with privacy settings that allow certain details to be hidden or shared only with certain users.

“The best step towards increased protection is to minimize online exposure as much as possible,” says Barros. “Think twice before commenting on something controversial on a public site, and enhance your privacy settings on social networks.”

Social media networks also recommend several best practices to prevent cybercriminals developing OSINT attacks from gaining access to helpful information. One is limiting location-based tagging, which prevents criminals from knowing a person’s location. Another valuable step for protecting personal and sensitive information is carefully reviewing the permissions users grant to third-party apps.

One of the best steps organizations can take to prevent OSINT attacks is providing effective training for all employees on the nature of the attacks and how they can be prevented. Cybercriminals know that OSINT attacks are very effective, so organizations that want to stay secure must be able to detect and repel them.

Kevin is a tech-head that loves writing about a wide variety of topics. He has been a ghost writer for almost two-decades and when not tapping away at the keyboard, he enjoys a good bottle of wine, a good documentary, and chilling with his Pit Bull - Bocephus. And yes ladies, this gorgeous specimen is single.

Leave a Reply

Your email address will not be published. Required fields are marked *