Welcome back, my aspiring OSINT cyber warriors!
The Internet is the Largest Data Repository in the History of the World!
Imagine how much information you could extract if you had access to all the financial information of the target of your investigation. If you could see their bank information and their credit card transactions, you could potentially see where they are travelling, who they are paying, who their friends are, where they eat, what their habits were, and nearly all of their secrets. You may be able to!
As many of you know, Venmo is a mobile payments company based in the U.S. and limited to U.S customers. Begun in 2009 as mobile peer-to-peer payments app, it is now owned by PayPal.
Surprisingly, by default, Venmo still publishes every transaction including the senders name, the receivers name, any comment or emoji. The transaction amount is not published, though. This type of data can be invaluable to the researcher as it provides a list of close friends, activities, and sometimes even location. This data can be particularly useful when correlated with data from other social networking sites and other sources.
Update (April 9, 2021)
This technique was recently used by investigators to reveal US. Representative Matt Gaetz illegal payment to underage girls for sex. To read more about it, click here.
This further illustrates the importance of OSINT techniques in private and public investigations.
To harvest this data we will be using Venmo-OSINT. It is not in our Kali by default, so we will need to download and install it from github.com
Step #1: Download and Install Venmo-OSINT
Let's begin by downloading Venmo-OSINT from github.
kali > git clone https://github.com/sc1341/Venmo-OSINT
Next, we need to download and install all of its requirements. To do so, we need first change directories to the new Venmo-OSINT directory.
kali > cd Venmo-OSINT
Then, use pip3 and the requirements text file (requirements.txt) to download and install all of its requirements.
kali > pip3 install -r requirements.txt
Step #2: Harvest the User's Transactions
To harvest the users transactions, all you need is a username and a file to store the data (I have found using profiler to be particularly useful to identifying a user's account name). The syntax is simple;
python3 main.py --username <username> --filename <file to store data>
Let's try using it against a person who uses the username "mapley".
kali > python3 main.py --username mapley --filename mapleyvenmo
As we can see above, the user "mapley" has 5 transactions, two where he was the payer and three where he was the recipient.
The dates and comments can be enlightening.
Note the following;
1. Adam Kroft paid Mitch Apley "for family photos" on Dec. 2, 2019
2. Benjamin Apley paid Mich Apley for a car on Nov 13, 2019
3. Annie Burger paid Mitch Apley for movie on July 12, 2018
4. Mitch Apley paid Stephanie Zimmerman "for Solochek's stupid bracket game" on April 9, 2018
5. Mitch Apley paid Kristen McGirk "for Doha car service" on March 22, 2018 (we can presume that Mitch Apley was in Doha on that date or very recently).
So much information is available on the Internet if you know where to look and how to process it. Open Source Intelligence is the cutting edge of hacking, forensics and data science.
Venmo still makes public, by default, all transactions. A tool such as Venmo-OSINT can extract this information and we can use it to correlate it with other data on the target and simply draw a timeline of the friends and activities of the target of our investigation.
To learn more about OSINT, attend the upcoming OSINT training at Hackers-Arise!