Tip of the Hat
Quick tip of the hat to Michael Bazzell and Justin Carroll over at the Complete Privacy and Security Podcast. The offense and defense segment they do toward the end of each episode goes over one newer OSINT tactic and a way to defend your privacy against it. On a recent episode they discussed another people search site that popped up plus the opt-out link so you can have your information removed. That episode got me thinking about these types of sites and this blog is a result of that brainstorming session.
If you follow OSINT or Privacy techniques, then you are familiar with the main people search sites like Pipl, Spokeo and Radaris. As an OSINT investigator I try to stay familiar with both the main sites and the smaller websites that continue to appear. I notate the sites with reliable results for my investigation purposes and I make sure to opt my own information off the sites for privacy.
Opting out is not an easy task. It takes time and effort to remove your information from the multiple sites on the internet. Some sites have a simple opt out page, others require valid ID submission as proof of your record before they will remove it. Its also not a one and done situation since new search sites appear every few months.
There are 2 excellent resources I recommend if you are going to start down the path of opt out:
Once you feel like you have a handle on your publicly available info, set yourself a reminder and in about 6 months, go back and look for your info online again. Be prepared for another round of opting out and also don't forget about others in your household. Just because you removed all of your records from the internet doesn't mean I can't find a record of your significant other who happens to live with you now or in your past. The task of opting out is never ending. That said... can we do it more efficiently?
OSINT on the People Search sites
As I was checking out people search sites, something occurred to me. Why haven't I done OSINT on the people search sites themselves? On the OSINT framework photo I can see similarities in the names of the sites themselves. Peoplefinder.com vs Peoplefinders.com and TruePeopleSearch vs. FastPeopleSearch are very similar in name. The look and feel of the websites are all pretty similar, so my thought process goes like this. What if some of these sites are the same companies? If they were it would be pretty easy to just to launch another website and connect their people database to the new URL. Maybe there is even a trigger for the database transfer, like a certain percentage of opt outs. Those are all speculation, but I decided to dig a little bit.
I started with 2 sites similar in appearance and name Truepeoplesearch and Fastpeoplesearch:
Visibly similar in layout and almost identical toward bottom of the web page is the Terms, Privacy and Contact links.
For a closer look I drop both pages into a comparison tool at Copyscape.com. Copyscape is part of a plagiarism checking service. It runs a quick side by side comparison of matching words on 2 different webpages.
97 and 99 percent matching to each other, we can posit that even if this isn't the same company, both sites at least used the same legal template and just changed out the company name. They even have the same update stamp visible of April 5, 2017. I file this under interesting and add the comparison tool to my OSINT arsenal. Time to search a deeper level than matching words.
In the world of penetration testing, sub-domain enumeration is used to find additional servers and machines on a network to increase the chances of finding a vulnerability for the pen test.
DNSdumpster has other features that I recommend exploring like the Domain mapping graphs and exporting the host info to an xls file, but more on that later. What I've found is my first potential link between 2 people search sites. To test my theory I want to try an opt out. Domain maps lead me to believe that PeopleFinders network is the larger one. In theory, if I opt out of the larger site, my info should drop off the smaller site as well.
2 For 1 Opt Out Attempt
First I find my record on both sites to confirm I am a part of the database in both places According to HowManyofMe.com there are approximately 142 people in the United States with the same name as me. It doesn't take long to find my record with just my name and the state I live in.
Submit for my confirmation
So my record drops off of PeopleFinders.com instantly, which is nice since some sites will tell you your record may take 24 hours or more to stop showing up in search results. Before I hit submit on the PeopleFinders opt out, I opened up my record in side by side browsers on the other site PeopleSearchNow. After the opt out submission I hit a refresh on the browser on the right and....
So my theory is confirmed, if multiple sites are indexing my data from the same company or server, I can opt out of multiple sites if I know which ones are connected. Since this is 2 sites out of many more that are online, I decide to dig further so I can determine if there are other ways the people search sites are connected.
Coming in Part 2
I took a closer look at the company contact info for PeopleFinders I notice another company name in the mix. I've done some OSINT pivoting on business search sites like Manta.com which look at business filings and business registration info. (Items like Duns Number, SIC and NAICS which you can read more about here)
Those pages can lead you to the company's executive names and business contact info like phone number and addresses. I'll take a closer look in part 2.
If you have any techniques to share or comments please drop me a line on Twitter @baywolf88