In our line of work, we occasionally have to do things that people in our increasingly digitally defined existence frown upon: We create and use fake Facebook profiles. Because, according to honest Facebook users, surely something shady must go on when there’s need for a fake profile. Besides, Facebook is serious business, right? So let’s do away with the social conventions for a minute and have a look at how to fake a person.

In the process of this article, we’ll look at how to create the perfect profile, how to get friends and we’ll encounter a strange effect that sets in about two weeks after making the profile. I will share knowledge with you that that we’ve accumulated over the course of many a Social Engineering project for our clients. And all in all, I hope that I can help people maybe spot people who don’t actually exist and who wish to cause them harm.

On a side note: Twitter seems to be less afflicted by the problem of having to have a real name. There’s Riker Googling Drunk Hulk InfoSec Taylor Swift and many others that are anything but the real deal, but still manage to be popular and socially accepted. But that’s just a side note. So we’re dealing with a problem that only affects Facebook.

Of course, making a fake profile is easy. After all, Facebook wants their new users to have a fairly quick signup process so that they can get right to the part where they supply all their information willingly for marketing purposes. However, we are information security professionals, so we come with a goal in mind. We don’t want to entertain the masses like Drunk Hulk or Riker Googling. We want to pass as an everyday person. We want this because we’re after a certain, occasionally very specific, target and/or piece of information. Due to NDAs and our general vow of secrecy about clients and data, I can’t really tell you more about this. Just this: We do not go into any project of this sort without clearing it with legal and after having a good, legitimate reason for doing it.

Therefore, it’s important that we can pass as a real person. Nobody believes that Drunk Hulk is actually the inebriated version of the Marvel Comics character. And nobody would tell Drunk Hulk any sensitive information.

Start at the Beginning

Before you even touch Facebook, you need to know who the fabricated person is. Because there’s an important lesson to be learned here: Facebook does not give you an identity, you give it to Facebook. All philosophical implications aside, this basically means that you need to be someone before you try to be someone credible on Facebook.

Let’s start at the beginning then. Nobody is born on Facebook. We’re born in the real world. Here’s where we need to start. Pick any larger city that you have at least some cursory knowledge of. Or a place where there’s plenty of information about. For this example, I’ll pick Zürich.

Why Zürich? There are a number of reasons:

• I know Zürich
• It’s big enough to remain anonymous
• It’s got a significant number of people that moved here from all over the world
• There’s a constant flow of people in and out of the city
• Plenty of people just claim to be from here but live somewhere in a nearby smaller city

It is vital that our persona is unknown and that we can claim that he or she went to events. Large gatherings such as the annual music festival Street Parade are events where basically everyone goes, but nobody knows anyone. It is entirely possible that our persona was there and partied with a number of people and they don’t remember meeting our fake person afterwards. Which, of course, they didn’t. Because that person doesn’t exist.

Thus: Our persona is from Zürich. Whether or not he or she is a native remains to be seen and can be neglected when it’s just about a credible Facebook profile.

Pick Your Gender

Men and women use the Internet differently. Just how differently is subject of debate, but it is undeniable that women behave differently when online when compared to men. A quick look at some of the studies on the subject reveals the following. Mind you, these findings have been made since 2008 and they might contradict each other:

• Women blog more about family and friends on Myspace. (Jones, S., Millermaier, S., Goya-Martinez, M., & Schuler, J. (2008). Whose space is Myspace? A content analysis of Myspace profiles)
• Men from Sweden are intent on displaying a heterosexual image. (Sveningsson Elm, M. (2007). “Gender stereotypes and young people’s presentations of relationships in a Swedish Internet community”.) These findings are somewhat representative of the internet as a whole.
• Women post more pictures of them and their friends and name their best friends more explicitly. (Sveningsson Elm, M. (2007). “Gender stereotypes and young people’s presentations of relationships in a Swedish Internet community”.) These findings are somewhat representative of the internet as a whole.
• Women post more comments, these comments are often more positive than the posts by males. (Thelwall, M., Wilkinson, D., Uppal, S. (2010). Data mining emotion in social network communication: Gender differences in MySpace

These are not all the things that scientists have discovered about the gender differences in Internet use. These examples are just there to give you a bit of an overview, because the point to be made here is this: Faking the other gender is really difficult. This doesn’t mean that it can’t be done, but it’s just very difficult. Because a lot of the typically female behaviours online, much like the typically male ones, are not the one defining thing but a collection of small things such as posting pictures and the amount of smileys used.

Thus, our persona is male.

When does it pay off to switch genders? Rarely, because being a consistent member of the other sex is quite the chore. It does however pay off when the target has a hobby that is at least partially partially about impressing the opposite gender, such as car tuning.

Choose a Name

There’s a lot in a name. It will be the main thing that our persona will be associated with. A name gives us information about where our persona is from. It betrays heritage to an extent and is debated to have a direct effect on the wearer’s social and academic status. In German, there’s a rather cynical saying that the name Justin in young people under 20 years of age is a not a name, but a diagnosis. Justins are typically ill-behaved, not good at school and – for some reason – enthusiastic about sports. Or DeShawn is a very typically African American first name. Kim is a very Korean last name. And although economist Steven Levitt and journalist Stephen J. Dubner, the authors of Freakonomics, have proven that a name like JaMarcus «doesn’t have to lead to a life of poverty and crime, the stereotype persists. Much like Mr. Kim is not necessarily a dictator and Justin might not be the nightmare he is said to be.

In Zürich, JaMarcus would stand out more than Justin would. But Justin at least implies that the wearer of the name is a bit of a tool, again due to common stereotypes. Mr. Kim would also not exactly be as subtle as we’d like, because, remember: the goal is to get a persona who is credible. There are not many men called JaMarcus or any other clearly ethnic name.

Picking a name is hard. Luckily, the Swiss have a public phone-book that can be searched by first and last name. You know how you always know which last names are pretty common around a place? In Zürich, and in the entirety of Switzerland to be honest, the last name Müller is fairly popular. Everybody in Switzerland knows at least one person with that last name. In the USA, this could be Smith.

The same thing can be done with a first name. What’s the most common first name? It doesn’t have to add up by the numbers, but in general, the final name should be a name everyone knows. For our example, we’ll go with Thomas Müller. This has several advantages.

• Most common last name in Switzerland according to the phone book
• Second most common first name, the most common would be Christian according to the phone book
• There are several famous people with the name, obfuscating research by others
  • Thomas Müller is the president of a small town in the East of Switzerland. He is also a Nationalrat in Bern and quite prolific in the media
  • Thomas Müller is a player for Germany’s national football team
  • Thomas Müller is a German composer
  • There are more Thomas Müllers out there

However, be aware that a name that is too inconspicuous might raise suspicion. In German, that would be something like Hans Müller or Hans Muster, in English John Smith or John Doe. Would you trust these guys?

Get a Life

So Thomas Müller from Zürich it is. Let’s get down to the details. A person needs a job. Most internet users are now in the age where they work. Our job needs to be untraceable.

• No executive position
• No small companies with less than 1000 employees unless the goal requires it
• Works at a large company
• Works in an area where you have at least semi-competent knowledge of
• Alternatively something you can research easily

And when Thomas Müller isn’t working in his anonymous job, he has hobbies. Here’s where it gets tricky. Because depending on why you’re doing this, you can make or break it here. In our line of work, we often make up a person who appeals to one specific other person. So the hobbies need to kind of match. And even if we know the target’s hobbies, then picking the exact same ones might make it too obvious.

• Be careful when picking favourite sports teams. There’s hardly a more passionate bunch than sports fans
• Except for maybe religious people. Make your persona not have any specific religious background public knowledge, unless vital to the goal of the mission
• Pick a hobby you have at least passing knowledge of
• The hobby must be easy to research
• The hobby must come with a lot of pictures online
• If the hobby is practiced internationally, even better

The Perfect Profile

So with gender, name and current personality fleshed out, it’s time to take to Facebook. What might help, though, is that you know where your persona comes from. Why is Thomas Müller the way he is? Where did he come from? Did he grow up in Zürich? If not, where? Why does he like the things he likes? Does he have a girlfriend? A wife? Children, even? I voted against those, seeing as it’s unlikely that a married man would not be friends with his wife on Facebook.

When finally making your profile, there are a few last things to observe:

• Don’t become friends with your real profile
• Don’t become friends with your friends
• Make sure your profile picture isn’t easily findable by reverse image searches
• Make sure your profile picture is something you can either replicate should you have to or find more of
• Don’t add more than a few pictures to your profile at first
• Post about your hobbies regularly
• Never confirm or deny you’ll be at an event smaller than a huge festival
• Find groups that correspond with your hobby on Facebook
• Befriend random people that are either related to an interest of the fictional person or its biography, such as friends from the school they went to
• Don’t befriend the target just yet

Enter the Weirdness

After our persona has a Facebook, it’s time to get social. Because that’s what Facebook was made for. A few dozen friends later, something strange will start to happen. Random strangers will befriend you. You will get messages from them, ranging from «Hi, how are you?» to «I want to make sweet love to you, random internet stranger». The latter prevail if you have picked a female persona. But often, these things are so monumentally stupid that I’d be surprised if anyone fell for these obvious plots. Even Facebook is pretty good at finding the spammers, and it’s not hard to fool Facebook.

The weird thing about this is that the persona these people all want to be with is not real. It has never existed and will never exist. Because we made it up.

With Great Power…

In this guide, I’ve probably told you things that you can use to cause others harm. You can use this knowledge for stuff that is not directly related to information security. And the thing is, I have no means of knowing what you’ll do with the knowledge. So I’m just going to appeal to you. Remember the words of Stan Lee from the pages of Spider-Man’s first comic book appearance: With Great Power Comes Great Responsibility.

About the Author

Dominik Bärlocher has been working with IT subjects since 2006. The journalist relied on his affinity for all things IT during his tenures at news papers and benefited from it. At scip, he conducts OSINT researches and is an expert at information gathering.

Links

• http://firstmonday.org/article/view/2202/2024
• http://freakonomics.com/books/
• http://images.google.com
• http://onlinelibrary.wiley.com/doi/10.1002/asi.21180/abstract
• http://pricetheory.uchicago.edu/levitt/Papers/FryerLevitt2004.pdf»
• http://tel.search.ch
• http://twitter.com/Swiftonsecurity
• http://www.esmuellertwieder.de/
• http://www.muellercomposition.de/
• http://www.parlament.ch/D/Suche/Seiten/biografie.aspx?biografie_id=1345
• http://www.rorschach.ch/mitglieder?id=22
• http://www.streetparade.com/home/street-parade-2014?lang=en-us&content=1&main=1
• https://twitter.com/DRUNKHULK
• https://twitter.com/RikerGoogling