As most of you know, my professional area of expertise in security is incident response, with an emphasis on system / malware forensics and OSINT. I’m fortunate enough in my position in the security education and con community to sometimes get pulled into other directions of blue teaming and the occasional traditional penetration testing. However, the rarest of those little fun excursions are into the physical pen testing and social engineering realm. In the breaking into buildings and pretending to be a printer tech realm, I’m merely a hobbyist. 🙂
Therefore, it was a bit remarkable that in the course of developing some training, there was a request for me to create some fake online personas that would hold up against moderately security savvy users. I think most of us have created an online alter ego to some extent, but these needed to be pretty comprehensive to stand up to some scrutiny. Just making an email account wasn’t going to cut it.
So Pancakes went on an adventure into Backstop land. And made a lot of amusing mistakes and learned quite a few things on the way. I’ll share some of them here, so the social engineers can have a giggle and offer suggestions in the comments, and the other hobbyists can learn from my mistakes. Yes, there are automated tools that will help you do this if you have to do it in bulk for work, but many of the problems still exist. (Please keep in mind that misrepresenting yourself on these services can cause your account to be suspended or banned, so if you’re doing more than academic security education or research, do cover your legal bases.)
What I messed up
I’m not going to waste everybody’s time talking about how to build a unremarkable and average character in a sea of people or use www.fakenamegenerator.com, nor how we always set up a VM to work in to avoid cookies and other identity leakage (including our own fat fingering). Those have been discussed ad infinitum. Let’s start with what happened after those essentials, because creating a good identity is apparently a lot more involved..
- It pretty much required a phone number from the get go. I spun up my VMs and created the base sets of email and social media accounts that an average internet user might have, but Twitter was on to me from the start. I wasn’t planning on involving a phone for 2FA at all, but their black box security algorithm tripped in seconds and made me use a phone to enable the first account. So, I’m pretty much terrible. Granted, there are plenty of online services that will give you a phone number, and I could have burners if I felt the need, but it added a layer of complexity. In a good move, it looks like most of social media is now spamming new users to enable 2FA.
- My super authorial D&D skills at creating dull people in big towns and reposting memes weren’t enough. I had to make friends and meet people to make the profiles pass as real. I knew that was going to be a challenge, but I didn’t expect it to become such a thought problem.
- Twitter was the easiest once I fleshed out the characters and followed a bunch of accounts they would like, then people following those accounts. Some people just follow back folks who aren’t eggs (I do). I quickly had 40 or 50 followers on the dummy accounts. I’m apparently big in the vegan cooking scene now.
- LinkedIn wasn’t too bad once somebody clued me into (LION) tags and good old 2000+ connection recruiter accounts. The people who participate in that essentially connect with anybody, regardless of the normal LinkedIn security and privacy rules about knowing people personally. So after making decent profiles, I just had to find a couple people with the tag, then fork out through 2nd degree connections in their vast networks to the correct industries and regions. Of course, I had to do a bit of strategic plagiarizing from other people in my characters’ professions’ skills sections to build believable people, first. (We have yet to see if they got any recruiter messages, but none of them had really lucrative careers.)
- Facebook was actually the one I struggled with the most, because you really need a starting point in your network to even add other people. I talked to a lot of security folks about my woes there and they made some good suggestions. The first was to play some Facebook browser games for a few minutes (I feel like my time with Candy Crush was worse than the dark web), then go to their community pages and plead “add me”. Again, people cheating the security / privacy system make it easy to gain a foothold. A couple popular games got me 50-100 friends, and from there by using Facebook’s lovely verbose search system, I could move my network into the regions that my personas “lived in”. For instance, if the character were from Chicago I would search for friends of friends of the connections I had made for people in Chicago, and those people were much more likely to add me because I was a “friend of so and so”. The other effective strategy people gave me was to present myself as an ardent fan of a sports team or political party in article comments. That worked pretty well, but not as fast as the games.
- Once I had some “friends” on Facebook, moving into specific workplaces and schools wasn’t too hard. Public Facebook Events at those institutions and their associated venues provide lists of lots of people to add who were almost certainly physically present. Again, once I had a few connections in that circle, it became exponentially easier to add more.
- Pinterest, YouTube, and Meetup were pretty easy – there’s really not a lot of verification of users there, by design. I liked them for this because they’re very public and tie the other social media profiles together nicely. I confess that I did lose my nerve when Meetup group sign up forms asked me detailed questions about my “kids” or my “spouse”, and stuck to ones that weren’t so intrusive, because that just felt creepy (says the woman who looked up a cached copy of your 2004 MySpace page).
- I don’t normally feel guilty when I’m hacking somebody in a pen testing engagement (it’s for a good cause), but I did feel a little weird and guilty interacting with unwitting strangers on the internet as other people. It definitely took me out of my comfort zone – not only did I have to role play other personalities with wildly different views, but I had to shake my normal security paranoia to do stuff like click “add friend” a lot without hesitation and leak data through privacy settings, strategically.
- I really had to commit to one character at a time to develop them into a person.
- Even in a clean VM, there was still apparent tracking to my IP space on LinkedIn! I didn’t bother to use a proxy or a public connection for an educational endeavor, but if I had to flee the mafia or something I would certainly keep that in mind. Internet advertisement tracking is insidious and possibly scarier than any nation state actor.
- Photos are everywhere yet were strangely really hard to come by. Fake identity creating sites like https://randomuser.me/ provide profile pictures, but anybody half decent at OSINT will immediately reverse image search a suspicious profile’s picture. Their stock art photos have been so abused that searching any one at random provides a trove of suspect business reviews and fake LinkedIn profiles (a blog of its own…). Again, since this was a legal and ethical endeavor, I just used a collection of donated (previously unposted) photos from friends, heavily visually filtered and transformed. Even that required a lot of careful checking for metadata and visual clues that tied them to a location. I’m sure there are more expensive stock art photo sources that are less abused, but I’m not sure how ultimately virginal even their photos are. Maybe I should invest in a good wig and glasses.
- This was time consuming, and I can see it becoming incredibly time consuming, which is the reason you use tools to automate the wits out it if you do it regularly as a penetration tester. Facebook and Twitter timestamp content, and comprehensive ways around that are the kind of things social media companies give out hefty bug bounties for. On Twitter, you can retweet a years worth of old tweets in temporal sequence, but that will never change your publicly visible account creation date. Similarly on Facebook, you can manually change the date and location of posts, but your account creation date is still pretty easy to see based on other time data and your profile ID number. Ultimately, there seems to be no substitute for good old months and years of the account existing. If somebody has a work around they’d like to share, I’m all ears.
What we can learn about OSINT and defense from this exercise
- Not new, but always good to reiterate: people bypassing security and privacy controls for convenience is a really big security issue. People who blatantly bypassed the personal connection requirements on Facebook and LinkedIn made my job a lot easier. If nobody had accepted my fake characters’ invites on social media, I would have been pretty stymied and stuck buying followers or building my own network to be friends with myself.
- As an adjunct to #1, be mindful of connections via one of these “wide open” social media accounts (many hundreds of connections, or an indication they don’t screen requests in their profiles).
- Reverse image search the photo, all of the time. Maybe on two sites! This should be something you do before dating somebody or making a business deal, just like googling their name. No photos are, as always, a red flag.
- Check the age of social media profiles even if they look verbose and well defined. Stealing other peoples’ bios is easy.
- Never be connection #1, #2, or #3 to a profile you don’t recognize (you enabler).
- Don’t accept connection requests from Robin Sage, (or anybody else who presents themselves as a member of your community with no prior contact).
- In fact, don’t accept friend invites from people you don’t know even if they have 52 mutual friends and “go to your school”. I had 52 mutual friends and was bantering with the school mascot about a sportsball team I’ve never heard of, in a few minutes.
- Look for some stuff that’s deeper than social media and typical web 2.0 services when you’re investigating a person. My typical OSINTing delves into stuff like public records, phone and address history, and yes, family obituaries. Real people leave more artifacts online over the course of their lives than merely things that require a [Click Here to Sign in with Facebook], and the artifacts I listed are harder to fake quickly.
- Forget trust, verify everything.