Image for post

What are the basic steps we can take when an international phone number appears in our investigation?


I felt the need to write down these notes after a Podcast from “The Quiet Professional” himself, Michael Bazzell. On March 6th, 2020, he posted episode number 160, titled: Telephone Search Offense & Defense. Great show, as always, but very US-oriented.

The thing is, I work with a lot of international phone numbers, from all over the world. I can therefore use Inteltechniques 6 tiers methodology on American numbers, but some of what was demonstrated is useless on some international numbers. So here’s how I usually do it.

First step: attribute and validate

Attribute

My first step is to try to identify from which country the number is. I don’t do that manually (by checking the list of international codes on Wikipedia for example) because countries share prefix and codes. I use the number analysis tool at International Numbering Plans.

As example, let’s take some random international numbers randomly found by Googling “our whatsapp number”:

source: https://www.shimansky.co.za/whatsapp
+27 84 537 3945

I already know where this number comes from, but let’s pretend we don’t and check it on Numbering Plans:

“source”: https://www.numberingplans.com/?page=analysis&sub=phonenr

Looks like we are going for a trip to South Africa. The network is “CELL C” for which an ultra quick Google search says “Cell C Limited is a South African mobile company and one of the top 4 leading network providers in the country”. The nice thing about this number is that it is a mobile number. To determine this, Numbering Plans interrogate the official ITU databases and gives you the result (If you need to know how, check the “About the company” page).

Investigating mobile numbers is what makes most of my job as an investigator when it comes to phone, mostly because I investigate people and not companies. Mobile numbers don’t give us the opportunity to locate them easily (compared to landlines) but they open a lot of other possibilities.

But first of all, let’s try to validate this number. We know it is in the range given to “CELL C”. Let’s use two other tools to confirm that (these tools are also used in Spiderfoot):

Numverify

No login necessary, you input the number and get a formatted or JSON answer:

{
   "valid": true,   
   "local_format": "0845373945",
   "intl_format": "+27845373945",
   "country_code": "ZA",
   "country_name": "South Africa (Republic of)",
   "location": "",
   "carrier": "Cell C (Pty) Ltd",
   "line_type": "mobile"
}

The information we get back confirms what we already have. Next stop:

Neutrino

You’re going to need an account for this one. It’s free and you can then leverage their API, but this time, let’s use the tool provided on their website:

{
    "valid": true,
    "country": "South Africa",
    "country-code": "ZA",
    "prefix-network": "Cell C",
    "international-number": "+27845373945",
    "location": "South Africa",
    "local-number": "084 537 3945",
    "type": "mobile",
    "currency-code": "ZAR",
    "international-calling-code": "27",
    "is-mobile": true,
    "country-code3": "ZAF"
} 

Everything checks. Notice how we now have three services that confirm the validity of these numbers. From what I understand though, “valid” only means the format is correct, not that the number is actually being used by someone… or something like a vending machine!

Validate

To actually determine if this mobile number has a real existence we have the possibility to use an old technique: Home Location Register (HLR) lookups. HLR is defined on Wikipedia as “[…] a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network. There can be several logical, and physical, HLRs per public land mobile network (PLMN), though one international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only one logical HLR (which can span several physical nodes) at a time”.

To simplify, one can ask the network responsible for a number if it exists, if it is valid and, in real time, if and where it can receive calls or messages. HLR lookups are mainly used as a business tool: operators need to know if the number is a valid one when it enters a different mobile network. This query was MASSIVELY abused in the last couple of years by spammers and other asshats in the publicity business to validate numbers before sending massive amounts of unsolicited SMS.

As the phone is not directly interrogated by the lookup, it means that the phone status may have changed since it last updated the database but it also means that the user is not aware of the lookup, which is nice.

How do you send HLR lookups? Well it depends on the level of security you want. You can make your own requests, BUT you have to be connected to the SS7 network, the backbone of the SMS delivery system. I can’t really help you with that, sorry! But don’t worry, there’s another way.

You can use providers that, after a more or less thorough vetting process, will make the requests for you. You have to understand that you will have to abandon some privacy… and some money. The lookups are not free, but they are cheap. On one of the websites I use, https://www.hlr-lookups.com/ , each request costs 0.010 EUR or 0.011 USD. Another one I know, https://www.hlrlookup.com/ will charge $15.57 for 2500 lookups.

I will not vouch for any of these providers, I just use their services. Most of them have APIs as their clients usually process thousands of numbers.

HLR Lookup

Back to our example. I ran the number on https://www.hlr-lookups.com/ and got this result:

{
"id":"090932486ce0"
"msisdncountrycode":"ZA"
"msisdn":"+27845373945"
"statuscode":"HLRSTATUS_DELIVERED"
"hlrerrorcodeid":null
"subscriberstatus":"SUBSCRIBERSTATUS_CONNECTED"
"imsi":"65507"
"mccmnc":"65507"
"mcc":"655"
"mnc":"07"
"msin":null
"servingmsc":null
"servinghlr":null
"originalnetworkname":"Cell C"
"originalcountryname":"South Africa"
"originalcountrycode":"ZA"
"originalcountryprefix":"+27"
"originalnetworkprefix":"84"
"roamingnetworkname":null
"roamingcountryname":null
"roamingcountrycode":null
"roamingcountryprefix":null
"roamingnetworkprefix":null
"portednetworkname":null
"portedcountryname":null
"portedcountrycode":null
"portedcountryprefix":null
"portednetworkprefix":null
"isvalid":"Yes"
"isroaming":"No"
"isported":"No"
[...]
}

Let’s dive in. We have confirmation that the HLR lookup was successful (“HLRSTATUS_DELIVERED”) and that the number is presently connected to the network (“SUBSCRIBERSTATUS_CONNECTED”). MCC and MNC confirm that this number is managed by the South African provider “CELL C” (see https://www.mcc-mnc.com/). We also see that the number is valid and that it is not ported, meaning this number was not transferred from a provider to another.

We also see it is presently not roaming. Roaming happens when a number is connected on a network outside of the country of the home network. This value used to be useful, but for many countries, it is now defaulted to “not roaming” by the provider by the implementation of a privacy protection layer called “Home Routing”.

First step is done: we were able to validate and attribute the number as a mobile number in South Africa, managed by the Cell C.


Using what the information we have, let’s search through different sites.

Search Engines

It is always a bit tricky to search for phone numbers in search engines. If we search for “+27845373945” in Google, Yandex and Bing we don’t get any interesting result. But I know this is a south african number so if I Google “south africa phone numbers”, I find the format I should use:

source: https://www.google.com/search?q=sout+africa+phone+numbers&oq=sout+africa+phone+numbers

Searching for “+27 84 537 3945”, yields more relevant results and helps identify the number:

source: https://www.google.com/search?q=%22%2B27+84+537+3945%22&oq=%22%2B27+84+537+3945%22
You can try to lose the double quotes or change the format to gather more results. Keep in mind that numbers are frequent on web pages so be prepared to deal with a ton of false positives.

Also try to search for something like “*COUNTRY* caller id” or “*COUNTRY* reverse phone lookup”. You may find pages with information on numbers like the ones trying to reference scammer’s numbers or business numbers. In our example, searching for “south africa caller id” let me find an article on “How to check who called me South Africa”.

White/Yellow pages

Using the white or yellow pages is rarely useful in my experience, but it is a quick stop so, why not?

You can head to Infobel and check for the country you need or just search for the white/yellow pages for this country on Google/Bing. In our example, I found nothing. Again, in my experience, searching for mobile phone numbers in these websites is usually useless.

Caller ID

Next stop is Caller ID websites: the “Truecaller”, “sync.meor “tellows”. Usually linked to iOS or Android apps, some of these Caller ID websites have pages where you can search for numbers.

I usually don’t want to install that kind of application on my investigation smartphone (the physical one or even the virtual machine) because I don’t want the numbers I investigate to go in the Cloud via these apps.

Truecaller needs you to be logged in. I have a free email account especially for this. Here’s the result for our example:

source: https://www.truecaller.com/search/za/+27%2084%20537%203945

No login (but a reCAPTCHA) for sync.me, but it did not find anything:

source: https://sync.me/search/?number=27845373945

Nothing on tellows either:

source: https://sync.me/search/?number=27845373945

This example mirrors my experience with international numbers: most of the time, Truecaller is the only one with good results.

People search engines

My favorite one is Pipl. Now, you have to create an account to be able to search their database and I am lucky enough to have one. I will not search the South African number with my account for privacy reasons, but Pipl often yields very interesting results.

I am still searching for another reliable international people search engine.

Leaks/Pastes

For the last few years, I have gathered my own collection of leaked databases in the dark parts of the internet. I am aware that some researchers vehemently criticize the use of breached/leaked credentials. Good for them! I will not pass on this source of information that may help me track bad guys.

I usually run a search on my own database for the phone number I am investigating and then, I run it again in an online database. They are all “murky” and therefore temporary. The one I am using at the moment is DeHashed.

After that, I search “paste sites” like Pastebin or Paste2. I have my own Google custom search engine, but I found that the ones proposed by Inteltechniques and Netbootcamp are better than mine!

Classifieds

Last stop for this step will be to find and search relevant websites for ads with the phone number. Starting with a “*COUNTRY* OR *REGION* OR *CITY* classifieds” I will try to find the most important places I can search through. Let’s get back to the example. Searching for “south africa classifieds” gives back websites like olx and gumtree. The number does not appear on these websites.


Last step: investigate and pivot

The last step is the most interesting one: playing with what we collected to transform information into intelligence. We have a number, names, cell phone provider, status and we can start creating a profile for our target.

Apps

Mobile phone apps can make the difference between an anonymous mobile number and a relevant piece of evidence that will help us go forward in the investigation.

This is the most complex part. Not technically, but because of the plurality and diversity of applications that are available.

Don’t forget to search for the applications most used in the country of origin for the number. If you also know something about the target (like genre, age group or interests), use that to decide what the most relevant application might be.
source: https://www.similarweb.com/apps/top/google/store-rank/za/all/top-free

Now, get your mobile phone emulator or your investigative smartphone and enter the number in the contacts. Then, scroll through the applications you have previously installed and let the application access to your contacts to “find new friends” so it can compare the number with the numbers used by the registered users. If you are lucky, your target may have used this number in WhatsApp or Telegram or Twitter and you may have a new piece of the puzzle, something you can investigate further. A picture, a name, a username or a location.

Social media

Using the same routine, I will check which social media are the most frequently used in the country I am investigating (it doesn’t mean I will not investigate the other ones though!). Then I will use the internal search engine to find information about the number.

For South Africa, StatCounter reveals that Facebook and Pinterest are the most used social media.

soure: https://gs.statcounter.com/social-media-stats/all/south-africa
Again, for each piece of information you find, go back to your search engines, “Google/Bing/Yandex/Baidu” everything: numbers, names, usernames.

After you have gathered enough intelligence (something you have to evaluate yourself under the circumstances of your investigation), you have to think about what you are going to do with the phone number because it is a vector that could be exploited for social engineering and/or more aggressive techniques to gather intelligence.

This may be a difficult decision to make. Difficult enough for not discussing how to take it at the end of an article!


Remember one last thing: phone numbers are only a means to an end. They don’t exist without a link with the “real world”. Whatever you collect as information, you should put it in the perspective of the investigation and if you are working within a team, every discovery must be shared, discussed and explained to the other members. It is the best way to find pivot points that may put the investigation on a successful track!

The awesome image used in this post is called "Searching" by Aleksey Chizhikov.