One piece of evidence that adds value to investigating social media threats is the threat actor’s chosen username. Usernames can hold meaning to the individual, and as a result provide useful information when expanding investigations to different social platforms.
As we covered in our last OSINT post, connecting all known social media accounts to one user is a critical step in determining risk, and this begins with analysis of the threat actor’s username. In this piece, we’ll dive into the importance of researching usernames and how they lead to useful, investigative paths.
First Steps
Depending on the platform, the username which appears on the actor’s account can lead to other monikers you can explore that could act as investigational pivots. Questions security teams should consider include:
- Is there indication of an interest toward a niche hobby?
- Do the numbers within the username resemble a date?
- What could be the significance of this date?
- Is the username inclusive of their real name or a variant of it?
Security teams should also confirm the username displayed is the threat actor’s chosen name. Some social networks do not display a chosen username within the profile, but rather within the URL of the account. For example, we may see the username “PhishLabs” on the account’s page, but within the URL it may show www.examplesocialnetwork.com/PhishL0308. This opens the door to a pivot that should be scrutinized.
Usernames are often shared by the same individuals across different platforms as an identifier. By finding links to other social profiles within newly discovered accounts, security teams can create paths of investigation. Cross-referencing a username works best with unique names, and this will help you begin linking the usernames and their significance to one threat actor.
Username Background
It is also important to explore any historical usernames associated with the user. Previous usernames could still be used elsewhere online. On Twitter, for example, you can use the advanced search feature to discover other usernames which once belonged to the same user. In the (altered and redacted) example below, we ran a historical search for other Twitter users mentioning the PhishLabs account to identify any previously used usernames. These historical tweets do not change when the mentioned user changes their username.
From our search, we see two tweets posted by another user who mentions @PhishL0308, meaning that @PhishLabs once operated under this username. We can now begin to dive deeper into investigating other mentions of this account. Then, if applicable, build an idea of when and why the usernames were changed.
Usernames are often shared with the operating individual's email address. Running a search of PhishL0308 on other social networks led us to a post using this unique name as an email address, in addition to providing us with useful information regarding the individual’s name, school, graduating class, area of study, and link to a profile. This data can all be used as pivot points to further drive the online investigation.
As with everything online, shared usernames across different platforms and email addresses should never be taken at face value. It is important to complete your due diligence in making connections between the threat actor’s known profile and the information that becomes available to you in the course of your research, and to use sound judgement when coming to conclusions and gauging probabilities.
Learn about how PhishLabs can help: