Full Report
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain the most up to date information relating to your target. Skype, with over 300 million users, can be a vital source if used correctly. The above graphic shows over 70 million active members and over 500 million users that have registered!. As with all things online, many users leak sensitive information about themselves that those with the right skills, could harvest.
Analysis Summary
# Tool/Technique: Skyper (SensePost Maltego Transform)
## Overview
Skyper is a Maltego Transform, part of the SensePost Toolkit, designed to facilitate Open Source Intelligence (OSINT) gathering specifically targeting the Skype platform. Its primary purpose is to search Skype for user information (Names, Aliases, Emails) and visualize the relationships between these entities, including their locations.
## Technical Details
- Type: Tool (Maltego Transform)
- Platform: Maltego (Used for data aggregation and visualization)
- Capabilities: Searching Skype by 'Names', 'Aliases', and 'Email Addresses', ordering results by location, retrieving linked profile information (e.g., Facebook links).
- First Seen: Published 11 January 2016
## MITRE ATT&CK Mapping
Since Skyper is an OSINT tool used for information gathering prior to an active intrusion, its mappings generally fall under Reconnaissance.
- **TA0043 - Reconnaissance**
- T1593 - Search Open Websites/Domains
- T1593.003 - Social Media (Implied, as Skype is a social platform being queried)
- T1598 - Gather Victim Identity Information
- T1598.003 - Social Media Accounts
## Functionality
### Core Capabilities
* **Skype User Search:** Enables queries against Skype using input entities like "Phrase," "Person," or "Email."
* **Data Return Limit:** Returns a maximum of twenty entities per search, constrained by Microsoft's limitations.
* **Location Correlation:** Ability to link returned Skype IDs by their associated location entities.
* **Profile Data Extraction:** Allows users to extract associated profile information stored within the Skype account (e.g., linked social media accounts).
### Advanced Features
* **Entity Linking:** Supports linking Skype entities based on location ("SkypeLocation" transform).
* **Chaining with Other Transforms:** Can be used synergistically with other OSINT tools (e.g., Namechk) to pivot from extracted Skype data (like a linked Facebook username) to discover additional online presences (like Pinterest accounts).
## Indicators of Compromise
As an external OSINT querying tool, Skyper itself does not generate typical runtime IoCs like malware would. The primary indicators relate to its deployment context (Maltego) and the operational queries it executes.
- File Hashes: N/A (It is a configuration/transform set for Maltego)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Queries are directed at Skype public APIs/search endpoints; no specific C2 traffic generated by the transform itself unless communicating with other linked transforms.
- Behavioral Indicators: High-volume querying activity against Skype services originating from the analyst's source machine.
## Associated Threat Actors
The "SensePost Toolkit" is made available for public intelligence gathering and security research. It is not explicitly linked to malicious cybercrime groups in the context provided, but rather to security researchers and penetration testers utilizing legitimate OSINT methodologies.
## Detection Methods
Detection is focused on identifying the use of Maltego and the associated transforms, rather than detecting malware execution.
- Signature-based detection: Difficult without specific YARA/signature rules targeting the configuration files of the SensePost Toolkit within a configured Maltego environment.
- Behavioral detection: Flagging the specific API calls or query patterns characteristic of the Skyper transform execution against Skype endpoints.
- YARA rules: Not provided in the context.
## Mitigation Strategies
Mitigation focuses on limiting the exposure of sensitive data on Skype and monitoring internal network activity for unauthorized OSINT collection tools.
- Prevention measures: Users must adhere to strict privacy settings on platforms like Skype, minimizing the public leak of personal information, aliases, and email addresses.
- Hardening recommendations: Restricting the installation or use of third-party investigation tools like Maltego in controlled environments.
## Related Tools/Techniques
* **SensePost Toolkit:** The overarching collection that contains Skyper.
* **Maltego:** The primary visualization and framework tool.
* **Namechk:** Website/tool used to pivot findings from Skype data (e.g., usernames) to check availability and existing profiles across other social media platforms.