101 Ways I Screwed Up Making a Fake Identity badbcc, track2shopcc
As most of you know, my professional area of expertise in security is incident response, with an emphasis on system / malware forensics and OSINT. I’m fortunate enough in my position in the security education and con community to sometimes get pulled into other directions of blue teaming and the occasional traditional penetration testing. However, the rarest of those little fun excursions are into the physical pen testing and social engineering realm. In the breaking into buildings and pretending to be a printer tech realm, I’m merely a hobbyist.
Therefore, it was a bit remarkable that in the course of developing some training, there was a request for me to create some fake online personas that would hold up against moderately security savvy users. I think most of us have created an online alter ego to some extent, but these needed to be pretty comprehensive to stand up to some scrutiny. Just making an email account wasn’t going to cut it.
So Pancakes went on an adventure into Backstop land. And made a lot of amusing mistakes and learned quite a few things on the way. I’ll share some of them here, so the social engineers can have a giggle and offer suggestions in the comments, and the other hobbyists can learn from my mistakes. Yes, there are automated tools that will help you do this if you have to do it in bulk for work, but many of the problems still exist. (Please keep in mind that misrepresenting yourself on these services can cause your account to be suspended or banned, so if you’re doing more than academic security education or research, do cover your legal bases.)
I’m not going to waste everybody’s time talking about how to build a unremarkable and average character in a sea of people or use www.fakenamegenerator.com , nor how we always set up a VM to work in to avoid cookies and other identity leakage (including our own fat fingering). Those have been discussed ad infinitum. Let’s start with what happened after those essentials, because creating a good identity is apparently a lot more involved..