When we look at online social media, it has been adopted in one flavour or another by nearly all of us. The way we project our persona online has slowly replaced the media of yesteryear. Expression is nothing new; throughout history, people have displayed their wealth, status, literary prowess and wit in the hope of being desired, feared, pondered and admired.
Of course, the academics have always authored papers, the eccentrics saw fit to walk lobsters down the street, and the ancient Egyptians built pyramids. It’s part of what makes us human; it’s been at our core from the moment we scribbled pictures on cave walls.
It’s more than showing off. It’s a form of expression – a statement that says:
This is me. This is what I am about. These are the things important to me.
We now share a lot online, this much we all know. For whatever reason, we feel the need to connect with people, and in this very exchange of expression, we can suffer the same pitfalls and rewards as in many other aspects of life. Not everyone has the intentions they claim to have, not everyone is who they say they are, and sadly, we can rarely define someone’s motive until the time has passed and the interaction has run its course.
What’s almost unique about social media, though, is the fact we can build these identities almost separate to our real lives. I’ve never seen a LinkedIn profile that says, “I just want to steal your contacts” in the bio. I’ve never seen a Facebook account that says, “I am just trying to befriend you to gain intel, so I can defraud you later.”
Then again, what we post on social networks is hardly ever what it appears to be. That picture of your new flashy company car on LinkedIn screams insecurity. The picture of your perfect family on Facebook can mask a different reality. The way you rant about Trump/Cameron/May/Brexit says to me you are craving your intellectual side to be acknowledged by your peers.
So, we are good people that shape our social media profiles to reflect us and to assist ourselves; to make ourselves feel better; whatever. But not everyone is good, and it’s vital to look at what actions people are doing in order to assist their nefarious activity.
Let’s run through this in stages, comparing the difference in good and bad.
Good: “When I create my profiles, I want to be acknowledged and found. The more information I can make true and accurate, the better I will fair at this. No point creating an account in a false name and then bragging about that holiday after all. I am going to use as much detail as I feel comfortable sharing. I might add a little quirkiness in there because I want people to know I’m not a square but not too much they will wonder who my shrink is.”
Bad: “Anonymous is king. Whatever name I choose, I need it generic, untraceable and sure as hell not my own. Also, the chance to connect physical evidence at this stage will bite me later. Facebook, Twitter and LinkedIn won’t think twice about sharing my IP at a later date if requested by the police. I am going to crack up a few compromised proxy servers I have laying about and proxy chain on to the account creation page (after creating a new fake email address, of course). As for the account basics, I am going to fill in the details using information that will match my intended pretext.”
Good: “I want a profile picture that makes me look a little slimmer, ideally in a social setting or passively displaying some wealth. This way people will hopefully see that I am the confident, successful, social butterfly that I am. Details about my life I am going to include: my prestigious and expensive education and my work history. Okay, maybe not all of my work history because I don’t want my peers at my fancy job to know I spent three months at age 20 working in a packing factory because I was desperate for cash. Once the basics are in, I will just naturally build up content over a period of time. Interesting things; things I wish to display.”
Bad: “My overall motive today is to get accepted into the social circles of a large shipping company. I am going to be an accountant I think, no, no – too obvious. I am going to be a ‘Service Delivery Manager.’ I don’t think anyone knows what they do… The actual content has to be perfect, too, so I don’t want to be caught out early with some clever Google reverse image search. I am going to use a hacked iCloud account I have to copy out someone else’s photos and life. Once obtained, I will change the shape of the photo, add a filter and bingo. Ideally, I’d like people to think my first intention isn’t to defraud them, so I will type out some clever things from old books that match my pretext and build up some articles and such as to not give the game away so easily. I am going to be charming, witty and never confrontational or rude.”
Good: “I’d like to connect with some old friends and business colleagues, so I am going to add them with my new social media profile. I haven’t really given the motive too much thought but ideally, I’d like just enough people from my past to see I am doing well and to make some good contacts in the industry I am in – hopefully, to better my career and social circles. You never know… I might have an interesting conversation or get headhunted for an even better job. Oh nice! Sharon is on here, too! I am going to have a little harmless snoop.”
Bad: “Intel and cash. The more people I add, the more details I can get about them. The more intel I have, the better I can knock out phishing emails to them. The more successful phishing emails I send out, the more money I can steal directly and the better I can manipulate them and build their trust to use them for my devious little plans. I am going to systematically start adding irrelevant pawns to my circles to give me credibility by numbers. I am going to search businesses from all over the world and start adding random people. Some people won’t like this, but hey, at least 20% will add me, anyway. Once I have enough of a profile to look semi legitimate, I am going to start adding employees from my target company.”
Good: “I am really happy. I got the chance to go out for a drink with my old high school friend, John. I am enjoying the way social media connects me with my friends and colleagues, in general. People talk to me about that holiday I went on, and it feels great to share my life with people I choose. I don’t really have any quantifiable results, but hey, it’s all been fun.”
Bad: “I started adding people from my target company, I think it was the fact I chose the profile picture of a buxom 27-year-old woman but after a while, people from the company were adding me. It happens every time I do this, but after I make about 10 connections with a company, they start adding me! It’s crazy! I kept this going over a period of one month and slowly added up to half of the company. The managers don’t know who I am because they don’t really care, whereas the lower level employees don’t have the confidence to call me out. I have about 376 connections now from the company. Using the export contacts feature of LinkedIn, I am going to send their details to a CSV and start working on my bounty – data. It doesn’t take long to turn these into a list of 376 email addresses that I will use later to send ransomware and phish for login details. Once I have ingress to their corporate emails, I plan to utilise their email directories to get them all. Before that, though, I am going to send a few flirty messages to the head of finance. Sometimes I don’t just want data. I am at my most devious when I want to know all I can about one or two high-ranking people within an organisation. With a bit of luck, I can arrange to meet them, blackmail them, or use one or two marks to assist in making some fast cash.”
This blog post is intended to open up people’s minds when it comes to using online social media. In its few scenarios, it doesn’t even come close to displaying the definitive reason people lie about who they are. The internet is such a wonderful thing for society but it is also just another medium that connects people with people, criminals with the decent, and all too frequently, bad with the good. Stay safe please, and brush up on the most common types of scams on Facebook, Twitter and LinkedIn.
If you would like assistance in testing for issues like these, make contact today.
Further reading can be found in our informational PDF
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.