Let me start with a quick note of apology for my long hiatus. I know you all come here every day just constantly hitting refresh, hoping and praying, for anything at all! Turns out life has gotten really busy, and between my work with NCPTF, Trace Labs, conINT, and everything else… writing has really taken a back seat. Anyway, I’m glad you’re here and hope you find something useful and new.
In late September, 2020, articles like these began popping up regarding a major user interface (UI) redesign for everyone’s 5th favorite social networking site, LinkedIn, intended to make on-platform searching even easier. If you’ve seen the newest mobile design, you probably felt the familiar comforts of a Facebook-style menu bar across the bottom, and “stories” bubbled across the top. Finally, 2020 has given us something besides politics, conspiracies, and videos of a still-terrifying Mike Tyson training maniacally, just to spend 48 minutes hugging an old boxing adversary on pay-per-view.
So, you may be asking yourself… “Why do I care if a lame, old people social media platform like LinkedIn is now more like other (also lame) old people social media platforms?” Just kidding, that was actually a test. If you actually thought that, this is where you get off the ride kid. Go TikTok about Tide Pods, or whatever it is you do, grown ups are talking now.
Anyway, in their effort to help job seekers better leverage their site during this tragically tough time in the job market, they’ve built out more robust search options to help their user base more easily find the content they’re seeking. This is not just great news for those in the job hunt, it’s also great news for investigators, because if you’re conducting online research, your ability to find what you’re seeking just got that much easier! If you’ve ever done online research over the LI platform, you already know that people there are much more inclined to use their full & real name, a good clear photo of their face, share up to date contact information, list personal details you might not find anywhere else, all while connecting to people they may know on other social platforms. All of these things make LI one of the must-check locations when conducting online people research. After all, they boast 760 million users!
So let’s get right to it…
This first screen can be found at the following URL: https://www.linkedin.com/search/results/people/?firstName=&origin=FACETED_SEARCH
As you can see, there are some default search options across the top, but if you click on the All filters button, you’ll see even more pop up on the right. Now before I move on, take note of something else here. Just like so many other social platforms, LI is already trying to push me content based on what it knows about me (well, what it knows about my sock puppet, browser, IP address, and other potentially identifying data points). As a researcher, you can certainly use that to your advantage, and as a privacy conscious person you may want to mitigate that, but that’s a post for another day.
In the “All filters” section, you’ll see the following options to select and sort your content by: Connections, Connections of (only works with people you are connected to), Location, Current company, Past company, School, Industry, Profile language, Open to, Service providers, and my personal favorite… KEYWORDS! Keywords for: first name, last name, title, company, and school.
Taking a look at the list of initial suggestions from the search home screen, let’s just say our target was someone who worked at Eat Just, Inc but we don’t have much to go on besides just a name, and we need some pivot points for our research. We know there’s a good chance someone working there will have a more open profile, especially people working in HR or recruiting type roles. Adding in a filter for current employment of Eat Just, Inc gives us 192 results. Unfortunately, many of the people we see here have their names hidden from non-connections. That’s no problem for a super-sleuth like you though!
We don’t have to look very far before we find someone currently employed there, with a more open profile, and a unique enough name to pivot away to another platform. Since we know many people will have friend crossover between LinkedIn and their other social platforms, you may want to jump to Facebook, IG or Twitter and begin a parallel thread of research there. Since Jessica’s name is visible, that’s a great place to start. A quick search on our old pals Facebook and Instagram give us plenty of pivot points to work with:
From there, we do a little digging and look to friends, associates, likes, comments, etc in the hopes we discover either our intended target, or someone else at Eat Just who may connect back to them. There are plenty of places to look beyond these sites though, so don’t stop there. One quick example thanks to a hit on Zoom Info via a very simple Google search gives us names of even more coworkers!
Ok, back to the search filters again, and this time a little story. (DISCLAIMER: everything about this story is completely made up except the obvious reference to the greatest cinematic achievement of our lifetime… Super Troopers.)
I want you to close your eyes for a minute and picture that it’s a post-Covid19 world. No masks, no hand sanitizer, no opening doors with super annoying foot pedal things. Where are you? What are you doing? Naturally, you’ve just pictured yourself at a bar, knocking back a couple drinks with your pals. Shallow, yes, but I like your style. Now let’s pretend that bar is at a wedding, and since we’re pretending… of course, it’s an open bar. You’re standing there, watching the bartender add a little extra ‘tini in your 4th appletini when up stumbles your soon to be brand-new acquaintance, demanding 6 Schlitz’s… or whatever’s free. (that’s the Super Troopers reference you uncultured slob, go watch it)
Jared, as you unnecessarily learn, just flew in from Chicago and recently graduated from Harvard (which he tells you several times). Ever the polite conversationalist, you stand idly by nodding and smiling all while wishing a meteorite would come crashing through the roof and send you to the great open bar in the sky. Now, it takes you a good 30 minutes to escape the never-ending, spittle-laced barrage of bro’s and for realz’s coming from Jared’s gigantic Harvard educated head, but eventually you catch a break when he’s drug out of the place by security, for not knowing a single person even remotely associated with the event. To celebrate, you turn back to the bar for another ‘tini, and see ol’ Jared left his money clip there with $100 in it! Now, you’re no thief, but Jared is long gone. So after you tip the bartender, you need to find a way to return his $70 and the clip! What to do?
What if a LinkedIn search could help you? Since we can’t assume Jared is from Chicago just because he flew from there, what if we assume he’s from the state of Illinois? Will LinkedIn let us search that broadly? Indeed, they will!
From here, how about adding keywords for the other 2 data points we have? “Jared” in the first name box, and “Harvard” in the school keyword box. This will catch all the different variations of Harvard schools listed in LI, and since some users don’t share their full last name for privacy reasons, we will likely catch more people this way anyway.
Boom! Just like that, you’ve got a short list of 10 Jareds from Illinois who attended Harvard and of those, 8 have profile photos!
Now, even though we all know this kind of Jared would for sure have a profile photo, what if none of those 8 matched, and you wondered about the other 2? Of course, you PIVOT! How about a search on other social media sites for a Jared of the same name who matches the information shown? Could you find a photo of Jared Bass who works at Google? Of course you can, superstar!
Eventually, you’ll find your Jared in the mix, and like all of Jared’s social media platforms, his DMs are open, so you can now be the good samaritan you were raised to be, and return that $30 in his money clip, knowing you did the right thing!
(DISCLAIMER 2: None of the Jareds you see here, especially the ones who are lawyers, would ever act like the Jared in our story. They all seem like very fine people to me!)
Another handy little feature of searching LinkedIn is that the pre-populated options in some filters update as you’re searching and narrowing down a list of people, to include actual places where the people on that list have worked. Once again, this is a feature where you may be able put their platform to work for you. These are the options for the Harvard Jareds in Illinois once you’ve conducted that preliminary search, so if your wedding crasher pal mentioned any of them you could further zero in by going back to the filters to see what’s there. Something to keep in mind for larger lists of results.
You may have also noticed a feature which allows you to search the people connected to someone. In order to use that feature, your account must be connected to theirs. That’s going to be off limits for all the no-touch OSINT practitioners out there, but may be something that’s in play for certain folks with different parameters, so I still wanted to call it out. You’ll notice the search box will only allow you to select connections you already have when you start typing a name:
HOT TIP: kind of unrelated to what we’re talking about here, but did you know that you can leverage a built-in feature of Outlook email to find the LinkedIn accounts of email addresses you’ve added to your contacts at outlook.office.com/people? Just add the email as a contact, and switch to the LinkedIn tab of their contact card! (make sure you’re signed in to your LI sock puppet) In the privacy questions, you can say yes to sharing information from LinkedIn to your Outlook account, but say no to sharing info from your account to Linked in and this will still work! Thanks Microsoft!
That’s all for this one folks. I hope you’ve grown a little more fond of using LI in your searches, or maybe gained a few ideas of how to approach this kind of research and leverage data points to pivot. If you’re interested in learning more about LinkedIn searches and going beyond these basics, I highly recommend these great articles and videos by some exceptional people:
Intelligence with Steve (Steve Adams) – A Guide to Searching LinkedIn by Email Address: https://www.intelligencewithsteve.com/post/a-guide-to-searching-linkedin-by-email-address
“Dutch OSINT Guy” Nico Dekens for the OSINT Curious Project – 10 Minute Tip: Viewing LinkedIn Profiles Anonymously (Video): https://www.youtube.com/watch?v=bIAdx3CAjtM
Sinwindie for Sec Juice – LinkedIn OSINT Part I & Part II: https://www.secjuice.com/linkedin-osint-part-1/ & https://www.secjuice.com/linkedin-osint-techniques-part-ii/
“Matt” Maciej Makowski for OSINTme – How to Conduct OSINT on LinkedIn: https://www.osintme.com/index.php/2020/04/26/how-to-conduct-osint-on-linkedin/
As always, you can find me on Twitter: https://twitter.com/hatless1der
and you can find my The Ultimate OSINT Collection Startme here: https://start.me/p/DPYPMz/the-ultimate-osint-collection