In my previous post, How Can I Successfully Hack My Home Network? I set the stage for my “Hacking my Home” activities. A possible scenario here is that I am given the task to penetrate a high-profile target’s (i.e., myself 😀) home network and collect as much information to use for malicious purposes. Before I start doing anything though, I need to prepare myself.
Let’s think about what will I need for my activities. Laptop, Internet connection… Well, (almost) everybody has those nowadays. Let’s look at some not so obvious things.
First, I will need some fake online identities that I can use to send emails or connect with people close to my target. For this, of course, I will need to have one or more email addresses. In the past, creating a Gmail or Hotmail address was trivial. Now though, even Yahoo requires you to have a phone number for verification. That makes things a bit more complicated, but not impossible. A quick search on Google or Bing will give you a good list of burner phones that you can buy for as low as $10 at retailers like Fry’s or Wallmart. However, one good option is the Burner app – for just $5/month you can have unlimited calls, texts, and monthly number swaps. There are many uses of it:
- Use it for general privacy – never give your real phone number on the web or anywhere else (just this is worth the money)
- Use it for registering new email addresses or social media accounts
- Make phone calls to avoid Caller ID (we all get those from marketers and scammers)
- Most importantly, send text messages to avoid Caller ID
If you only need a masked phone, you can also use the Blur app from Abine. There are many other options if you search the web but be careful with the reputation. I decided to try both, Burner and Blur in my next step.
Armed with burner phone numbers, the next step is to create email addresses that I can use for various registrations. Yahoo emails are frowned upon; that is why I decided to go with Gmail. I will need to think of creating a complete online personality that I can use to send emails, engage in conversations, etc. Without knowing what will work, creating a male and female personality will be helpful.
The first step is to choose some trustworthy names. Although fancy, names like North West and Reality Winner 😀 will look more suspicious than traditional English names like John or Mary. Not surprisingly, a simple Google search gives you thousands of pages with names that inspire trustworthiness. So, I choose some of those to name my two personalities. Because I don’t want those to be known, I will use the first initials from now on to differentiate between the male (RJD) and the female (SMJ). Now, let’s go and create some e-mail addresses and social media profiles.
One complication while creating Gmail accounts is the verification process. Google requires your phone number for account creation, and after typing any of the burner phone numbers, I got an error message that the number cannot be used for verification (kind of a bummer, I thought). Interestingly though, after the initial verification (for which I used my real cell phone number), I was able to change the phone number AND verify it using the burner ones.
Next is Facebook. Despite all the efforts Facook is putting to prevent fake accounts, creating a Facebook account doesn’t even require text verification. With just an email, you can easily go and create one. Of course, if you want to change your username, you will be required to verify your account via mobile phone. The burner phones work like a charm with Facebook.
After Facebook, creating an Instagram account is a snap. Picking up a few celebrities to follow is, of course, essential to building up the profile. Be selective when you select people to follow from the suggestion list, you don’t want to look like a bot by following every possible person. Later on, after I gather more intelligence on my targets’ interests, I will tweak the following base to match better their interests, but for now, this will be enough to start building a profile and also getting access to information that is behind the Facebook and Instagram walls.
The Twitter registration process is as simple as Instagram. You don’t need a mobile phone for Twitter – e-mail is enough for the confirmation code. Once again, choose a few select accounts to follow to start building your online profile and reputation.
Creating LinkedIn account is a bit more elaborate. Similar to Gmail, LinkedIn requires real phone number for verification – both burner phones failed here. Of course, LinkedIn doesn’t immediately ask you to add your phone number for notifications. However, their account creation wizard required at least one job title and company. Not unexpected, this stumbled me a bit because I had to think what will be the best title and company to choose from. LinkedIn has one of the cripiest experiences for account creation. The most scary part for me was the ability to pull all my contacts from… well somewhere (I will need to dig into that later on). Nevertheless, my recommendation is to do the registration on a burner laptop that has none of your personal information on it. The next crippy thing was the recommendations – I got some high profile people recommended to me and of course I clicked on a bunch before I realize that it sends invitations to those people. This could have blown my cover because it recommended mostly people working in the company I chose as my employer. Surprisingly to me though just a minute after, I had a request accepted, so I decided that maybe I should not be worried so much. One important thing you need to do on your LinkedIn profile is to change the Profile viewing options in your Privacy settings to Private mode. If you do not do that, people whose profiles you look up will get notified who are you, and you want to avoid that.
Although some people may accuse me in profiling, I have to say that I chose to use the female account for Facebook, Instagram and Twitter and the male for LinkedIn initially. The reason is that I didn’t want to spent time doing all those registrations before I know more about the targets.
Now that I have all those fake accounts created, I can move to the next step: doing some online research about my target. To do that, I don’t need full profiles established but I will try to generate some online activity in the mean time to make those accounts more credible.
In my next post, I will demonstrate how easy it is to gather basic social engineering intelligence using the above accounts as well as free web sites. Stay tuned…
Disclaimer: This post describes techniques for online reconnaissance and cyber attacks. The activities described in this post are performed with the consent of the impacted people or entities and are intended to improve the security of those people or entities as well as to bring awareness to the general public of the online threats existing today. Using the above steps without consent from the targeted parties is against the law. The reader of this post is fully responsible for any damage or legal actions against her or him, which may result from actions he or she has taken to perform malicious online activities against other people or entities.