OTPs as Second Factor
In our line of work, we occasionally have to do things that people in our increasingly digitally defined existence frown upon: We create and use fake Facebook profiles. Because, according to honest Facebook users, surely something shady must go on when there’s need for a fake profile. Besides, Facebook is serious business, right? So let’s do away with the social conventions for a minute and have a look at how to fake a person.
In the process of this article, we’ll look at how to create the perfect profile, how to get friends and we’ll encounter a strange effect that sets in about two weeks after making the profile. I will share knowledge with you that that we’ve accumulated over the course of many a Social Engineering project for our clients. And all in all, I hope that I can help people maybe spot people who don’t actually exist and who wish to cause them harm.
On a side note: Twitter seems to be less afflicted by the problem of having to have a real name. There’s Riker Googling Drunk Hulk InfoSec Taylor Swift and many others that are anything but the real deal, but still manage to be popular and socially accepted. But that’s just a side note. So we’re dealing with a problem that only affects Facebook.
Of course, making a fake profile is easy. After all, Facebook wants their new users to have a fairly quick signup process so that they can get right to the part where they supply all their information willingly for marketing purposes. However, we are information security professionals, so we come with a goal in mind. We don’t want to entertain the masses like Drunk Hulk or Riker Googling. We want to pass as an everyday person. We want this because we’re after a certain, occasionally very specific, target and/or piece of information. Due to NDAs and our general vow of secrecy about clients and data, I can’t really tell you more about this. Just this: We do not go into any project of this sort without clearing it with legal and after having a good, legitimate reason for doing it.
Therefore, it’s important that we can pass as a real person. Nobody believes that Drunk Hulk is actually the inebriated version of the Marvel Comics character. And nobody would tell Drunk Hulk any sensitive information.
Before you even touch Facebook, you need to know who the fabricated person is. Because there’s an important lesson to be learned here: Facebook does not give you an identity, you give it to Facebook. All philosophical implications aside, this basically means that you need to be someone before you try to be someone credible on Facebook.
Let’s start at the beginning then. Nobody is born on Facebook. We’re born in the real world. Here’s where we need to start. Pick any larger city that you have at least some cursory knowledge of. Or a place where there’s plenty of information about. For this example, I’ll pick Zürich.
Why Zürich? There are a number of reasons:
It is vital that our persona is unknown and that we can claim that he or she went to events. Large gatherings such as the annual music festival Street Parade are events where basically everyone goes, but nobody knows anyone. It is entirely possible that our persona was there and partied with a number of people and they don’t remember meeting our fake person afterwards. Which, of course, they didn’t. Because that person doesn’t exist.
Thus: Our persona is from Zürich. Whether or not he or she is a native remains to be seen and can be neglected when it’s just about a credible Facebook profile.
Men and women use the Internet differently. Just how differently is subject of debate, but it is undeniable that women behave differently when online when compared to men. A quick look at some of the studies on the subject reveals the following. Mind you, these findings have been made since 2008 and they might contradict each other:
These are not all the things that scientists have discovered about the gender differences in Internet use. These examples are just there to give you a bit of an overview, because the point to be made here is this: Faking the other gender is really difficult. This doesn’t mean that it can’t be done, but it’s just very difficult. Because a lot of the typically female behaviours online, much like the typically male ones, are not the one defining thing but a collection of small things such as posting pictures and the amount of smileys used.
Thus, our persona is male.
When does it pay off to switch genders? Rarely, because being a consistent member of the other sex is quite the chore. It does however pay off when the target has a hobby that is at least partially partially about impressing the opposite gender, such as car tuning.
There’s a lot in a name. It will be the main thing that our persona will be associated with. A name gives us information about where our persona is from. It betrays heritage to an extent and is debated to have a direct effect on the wearer’s social and academic status. In German, there’s a rather cynical saying that the name Justin in young people under 20 years of age is a not a name, but a diagnosis. Justins are typically ill-behaved, not good at school and – for some reason – enthusiastic about sports. Or DeShawn is a very typically African American first name. Kim is a very Korean last name. And although economist Steven Levitt and journalist Stephen J. Dubner, the authors of Freakonomics, have proven that a name like JaMarcus «doesn’t have to lead to a life of poverty and crime, the stereotype persists. Much like Mr. Kim is not necessarily a dictator and Justin might not be the nightmare he is said to be.
In Zürich, JaMarcus would stand out more than Justin would. But Justin at least implies that the wearer of the name is a bit of a tool, again due to common stereotypes. Mr. Kim would also not exactly be as subtle as we’d like, because, remember: the goal is to get a persona who is credible. There are not many men called JaMarcus or any other clearly ethnic name.
Picking a name is hard. Luckily, the Swiss have a public phone-book that can be searched by first and last name. You know how you always know which last names are pretty common around a place? In Zürich, and in the entirety of Switzerland to be honest, the last name Müller is fairly popular. Everybody in Switzerland knows at least one person with that last name. In the USA, this could be Smith.
The same thing can be done with a first name. What’s the most common first name? It doesn’t have to add up by the numbers, but in general, the final name should be a name everyone knows. For our example, we’ll go with Thomas Müller. This has several advantages.
However, be aware that a name that is too inconspicuous might raise suspicion. In German, that would be something like Hans Müller or Hans Muster, in English John Smith or John Doe. Would you trust these guys?
So Thomas Müller from Zürich it is. Let’s get down to the details. A person needs a job. Most internet users are now in the age where they work. Our job needs to be untraceable.
And when Thomas Müller isn’t working in his anonymous job, he has hobbies. Here’s where it gets tricky. Because depending on why you’re doing this, you can make or break it here. In our line of work, we often make up a person who appeals to one specific other person. So the hobbies need to kind of match. And even if we know the target’s hobbies, then picking the exact same ones might make it too obvious.
So with gender, name and current personality fleshed out, it’s time to take to Facebook. What might help, though, is that you know where your persona comes from. Why is Thomas Müller the way he is? Where did he come from? Did he grow up in Zürich? If not, where? Why does he like the things he likes? Does he have a girlfriend? A wife? Children, even? I voted against those, seeing as it’s unlikely that a married man would not be friends with his wife on Facebook.
When finally making your profile, there are a few last things to observe:
After our persona has a Facebook, it’s time to get social. Because that’s what Facebook was made for. A few dozen friends later, something strange will start to happen. Random strangers will befriend you. You will get messages from them, ranging from «Hi, how are you?» to «I want to make sweet love to you, random internet stranger». The latter prevail if you have picked a female persona. But often, these things are so monumentally stupid that I’d be surprised if anyone fell for these obvious plots. Even Facebook is pretty good at finding the spammers, and it’s not hard to fool Facebook.
The weird thing about this is that the persona these people all want to be with is not real. It has never existed and will never exist. Because we made it up.
In this guide, I’ve probably told you things that you can use to cause others harm. You can use this knowledge for stuff that is not directly related to information security. And the thing is, I have no means of knowing what you’ll do with the knowledge. So I’m just going to appeal to you. Remember the words of Stan Lee from the pages of Spider-Man’s first comic book appearance: With Great Power Comes Great Responsibility.
Let our Red Team conduct a professional social engineering test!
Our experts will get in contact with you!
Further articles available here