Email addresses are one of our most public piece of PII. We
are confortable sharing it with strangers, publishing it on the
internet and it is generally our public way of communicating.
However, when it comes to phone numbers things change. We are more
selective with who we share it with, mostly because receiving
unsolicited phone calls is much more invasive. There are also security
implications when making your phone number publicly available. SS7
attacks, SIM swapping, phishing and scam calls are just a few of the
threats that originate from the target’s phone number.
What if it were possible to obtain someone’s phone number by only
knowing their email address? Beyond the criminal advantage, it could
be very useful to investigators, red teams and OSINT lovers.
In this talk, I will discuss techniques which when combined will let
you discover someone’s phone number via their email address. I will
also demo and release a tool that helps automate the process.
10. Combining accounts
012-XXX-6789
Ebay + Paypal
Ebay + Lastpass
0XX-XXX-6789
Yahoo + Lastpass
That’s 7 out of 10 digits
from just the email
address!!
012-XXX-XX89
Ebay
0XX-XXX-6789
Paypal
0XX-XXX-XX89
Yahoo
XXX-XXX-6789
LastPass
XXX-XXX-XX89
Google, Twitter, Microsoft, Steam
11. Let’s focus on which digits we know, not how many
012-XXX-6789
Area code
or NPA
Exchange
or NXX
Subscriber
1000 possible numbers left…
12. NANPA (North American Numbering Plan Administration)
Maintains a public list of area codes and its exchanges
San Francisco’s 415 area code has 784 exchange
numbers
Tacoma’s 253 area code has only 458 exchanges
https://nationalnanpa.com
13. National Pooling Administration
Number block area assignment in the 10 thousands
Area code + Exchange + 4 digits subscriber number
Sausalito has 7k residents. No need for 10 thousand block assignment
NPA manages smaller block number assignments in growth areas
Per FCC, first digit of the subscriber number is used for this purpose
012-345-6789
Area code
or NPA
Exchange
or NXX
Subscriber
Block#
15. 253-XXX-9123
tacoma_resident@victim.com
with ebay and Paypal account
1. ebay gives us area code
2. Paypal gives us subscriber number
3. NANPA gives us 458 valid exchange numbers for the area
code ‘253’
4. NPA gives us 13 unassigned exchange numbers for the
block number ‘9’
Only 445 possible numbers left!!
————— —
16. Still… 445 possible numbers…
We reduced the possible victim’s phone number
from 10 billion to 445 just with an email address and
publicly available information
🤔
17. Same attack vector… reversed!
Initially, we used the email address to harvest phone digits
Now we use the remaining numbers to reset
passwords and harvest masked email addresses!
19. Attack vector
1. Harvest phone number digits initiating password
resets with victim’s email
2. Use Phone Numbering Plan data to reduce the list of
possible phone numbers
3. Harvest and correlate masked emails by initiating
password reset with the remaining possible phone
numbers
21. email2phonenumber features
Harvest phone number digits from major sites
Generate valid phone number lists from partial numbers
based on the country’s Phone Numbering Plan
Bruteforce phone number password reset and correlate
masked emails with victim’s
support for proxies to avoid captchas / IP banning
Easily extendable to support more online services
Available on Github
https://github.com/martinvigo/email2phonenumber
24. It get’s worst…
Many do not adjust the PII mask
for customers from other countries
Ebay, Lastpass, …
Some countries have 7 digits
mobile numbers
Estonia, San Salvador, Iceland,
Åland islands (Finland), …
Ebay + Lastpass exposes the
ENTIRE phone number
Estonian victim’s number: (+372) 588 1179
😱
26. phonerator
An online service to generate phone number lists
multi-country support | detailed info | advanced filters | historic records
Stay tuned on twitter for updates and release date: @martin_vigo
27. Recommendations
For online services:
Use customizable labels instead of PII tidbits
“An SMS will be sent to 415-***-**12”
“An SMS will be sent to [CUSTOMLABEL]”
For you:
Never provide your real phone number to online services
Usually not required to use the service
If required, use VOIP numbers or dedicated SIMs
Use different email addresses or aliases
29. Attackers can use your email address to obtain phone number
digits from online services due to a lack of standardization in PII
masking. Combined with publicly available information and an
understanding of the country’s phone numbering plan, it is
possible to recover the entire phone number
TL;DR
Security
&
Privacy
Online
Services
UX