Fake Identities

Imagine going to a social scene of your choice and meeting a cute guy or gal. They give you a name, a background story and you both seem to be hitting it off. You exchange numbers, text each other to make sure it goes through and make plans to chat later.

What if everything but the number given to you was made up?

This is what happened to a friend of mine. We’ll call her Z and I double checked to make sure she was alright with me talking about her story.

A guy, we’ll call him A, walked up to her in a social setting, gave a name and a background story and the two really hit it off. Because I was acting as a chaperone of sorts, I also met A and heard the background story which sounded too incredible to be true. But, I have heard crazy true stories before.

Throughout the year, Z told me about how her relationship with A and it was progressively getting worse. Eventually, with help from other friends, I finally convinced her to leave A. She did and that was that…so we thought.

A few months later, Z and I was talking and she mentioned that another woman dated A and had similar experiences. Suspicious, Z decided to ask if I could find as much information on A as possible. All I had was a name, a number, and a picture.

It is an obvious but often overlooked fact that we leave footprints on the internet. This is especially true for social media. With a simple search, you can find out where someone lives, their job title, email address, age, birthday, hobbies, fears, and more. It all depends on what that person shares in addition to publicly available records. The best part is that this is completely legal. No hacking. No social engineering. No threats or blackmail. Just searching.

I started the information search with the picture. It was of Z posing outside in the city. On the bottom right was writing. A new name, B. I immediately suspected that A was a fake identity but I still needed to find as much information as I could.

Rewinding a little.

A couple of months before I was asked to do this, I had made up a fake identity as well. Largely for playing on Capture-The-Flag sites and out of curiosity as to what will happen to social media accounts under this name. As a result, my fake persona had an email account, an internet phone number, a LinkedIn page, and a Facebook page. This fake identity of mine came in handy for information gathering later.

Back to the search.

My search for A and B both produced a website and a Twitter page with little information on it for each. The search for the phone number told me that it was a VOIP number and belonged to some small company. With the information I had, there was little I could find which came as a shock but raised more questions. Why would A/B, who has told people about his amazing life, barely have any information about himself online?

Fast forward a year and some months.

Z came across new information about A. Another woman was given a different name by A, C. This time, I was asked to see if C was A’s real name. I had three names, one phone number, and the previous findings.

Using my fake profiles, I searched Facebook and LinkedIn to see if I can find a page for C. Unfortunately, C was a pretty common name so I got hundreds of results back. Time for Google! The results did produce a twitter page which I did not need an account to view. On the page, I saw references to the small company that the phone number is registered to. A clue!

Back to Facebook, I checked for that company. It was a 2-5 man shoestring team with a heavy focus on machismo topics that only horny teenage boys would indulge in. I checked the company’s friends list and found a page for A. Following the link, I checked his friends but no mention of C. Found B but we all know that A and B is the same person.

A few hours later, I had exhausted all of my leads. I knew that A was connected to C through a phone number and the company. I had confirmed this by visiting the company website and searched for staff names. Beyond that, I had nothing but more questions.

Throughout the whole experience, I kept noticing the lack of pictures of A on social media profiles. Not one! It suggested that someone really took time to remove himself from the internet and replace it with at least one fake identity. Maybe two?

I gave my findings to Z who was planning to present it to the leaders of her social circle. I thought that was the end of it until days later, Z gives me a new name, D! It was a name I had come across before searching for C but did not explore because I felt it was outside the scope of the search. Now, it was fair game!

I already knew D was a part of the company A/B and C were a part of. A quick Google search produced a Facebook page for D. Using my fake persona, I viewed his page. The first thing that struck me was how similar D’s page was to the company’s Facebook page as well as A’s. I checked for D’s friends. Soon, my palm hit my face. There he was, C!

I followed the link to C’s profile. It was an old and bare profile. Fortunately, it did not matter. At the top of the page was a picture of a familiar face. I immediately recognized it as A! I had the proof I needed to show that A was in fact C!

I quickly wrote up my new findings and sent it to Z for her presentation. As far as I know, the social circle leaders were going to take action against C though I do not know what that action would be.

Looking back on the whole experience, it was a little unsettling that an amateur like myself could sift through multiple fake identities and find the real person. And it is not like the guy wasn’t trying to hide himself. Only one picture of his face on a hard to find profile page. An internet phone number belonging to a questionable company. Profile pages with very little information. Fake names. No physical address given. Yet, all it took was one forgotten link to uncover the truth.

The experience also reminded me of another simple truth. Fake identities are just that. Fake. Maybe there is some truth in the identities but there is always something fake. My fake identity does not share my name, age, birthday or job title with me. At the same time, I do not use my fake identity to represent myself in the real world as C had done.

My final thoughts on fake identities?

You can’t stop fake identities being created online. In fact, I just gave mine a twitter account this morning. I personally believe there is nothing wrong in creating a fake persona for online usage. Sometimes, you want to order something and have all of the following spam sent to the fake account. Other times, you’re researching questionable and have to provide an email address. Fake personas and internet numbers are great for that. The real issue comes about when that persona is used to represent you in the real world or legally. If I used my fake identity to represent me in the real world, someone will dig into it and find cracks. Eventually they will find me. Because I actually exist.

Another Place To Hack Legally

First things first.

Since Covid19 has been declared a pandemic, we should do everything we can to help limit the spread of the virus. The CDC has great information on how to do so.

And please. Don’t buy up all the toilet paper and face masks!

With Covid19 spreading in the US, a lot of companies are changing they way they continue business. Cybersecurity businesses are no different. I’m going into my 3rd week of remote work and there are company memos about what is being done to accommodate people and what our state is doing to combat the spread. Since I live near Seattle, you can imagine that daily life has been impacted greatly.

However, it is my belief that if you’re in the cybersecurity industry, you continue to find ways to improve your skills or to take time to mentor others. There are many ways to accomplish this. For me, I like learning about pentesting methodologies to help with my network traffic investigations. To that end, I want to share a new website I recently ran across via Reddit.

The site is called tryhackme.com and I have been addicted. Cutting myself off from the general public most days due to the virus doesn’t help with the addiction either. The easiest way to describe the site is something of a cross between HackThis, Cybrary, and HackTheBox in all the good ways! Since I have started playing on the site, I have improved my nmap and metasploit skills as well as being introduced to new tools and concepts. Even got to do my very first privilege escalation! It is one of those things you always hear about but never quite sure how it is done. And that is what I love about this site!

The main feature of TryHackMe is the different “rooms” you can join to learn. Each room has an overall objective and, like Cybrary, there are steps on how to complete the objective. Each step has some kind of confirmation that you completed it. Sometimes it is as simple as clicking the “completed” button. Other times, you need to submit the correct answer. One thing I like about these steps is that it does not feel like it is holding your hand through every little step. When I used Cybrary’s virtual machines for learning (roughly $100/month), I got annoyed when the steps told me how to logon to a machine with a username and password. This wasn’t through something like SSH or RDP. I was already interacting with the virtual machine and had the username/password on hand. Yet, I often would find tutorials instructing me how to login. Or how to open Windows command line…I digress.

Like HackTheBox, in each room you can deploy a virtual machine and connect to it through an OpenVPN tunnel, but unlike HackTheBox, you are not completely alone when trying to hack into the machine. The steps are usually well written and easy to follow that even a novice, oh say like me, can get that sweet forbidden access to the machine. If you get stuck, there is sometimes a “hint” button to point you in the right direction. Similar to HackThis. Another similarity to is that TryHackMe has something for absolute beginners to more advanced users. Plus, no need to hack the site to get access! (I’m looking at you, HackTheBox.)

Although you can use the site for free, I would recommend the subscription plan if you can. It is about $10 a month and gets you access to all of the content including the “learning paths”. I’m currently on the OSCP path which has got me thinking I should take the exam one day. And some of the subscription rooms have been a real joy to work in!

If you have an interest in pentesting or just want to see hacking concepts in action, I highly recommend giving the site a try!

Now, to go back and finish the Kenobi room!