Wednesday, October 23, 2013

Be warned, someone is tracking you online

I thought it would be fun to give a brief example of how a complete stranger could track someone down using the seemingly innocuous data we all regularly leave behind online.  I’m not suggesting that anyone should actually do this; it would be pretty darn creepy and stalker-like.  The point here is not to create paranoia, but to instead spread awareness.  Most people don’t realize how easy it is phish out pieces of information online and connect the dots.  Consider the following hypothetical scenario:

You’ve been chatting online with someone via MySpace for a couple of weeks now.  You decide you want to find out more about them.  Without asking them any personal questions, you take the following steps:
  1. You type their exact MySpace username/alias into Google.  Google returns a variety of results including a series of posts on a discussion board forum.  The discussion board has a user profile page that displays basic information on the user including the user’s email address.
  2. You could now Google the email address, but instead you decide to run it though the Flickr Friends search tool.  This tool will tell you if a Flickr account has been opened using a specific email address.  Flickr is a popular photo sharing site.  Lo and behold, an account exists that matches the email address.
  3. You visit the user’s Flickr page which has various photo galleries of people at social gatherings.  After awhile you find a photo tagged with captions from a first-person perspective.  The caption clearly indicates which person in the photo owns the gallery, whom also happens to be the target you’re tracking down.  Now you know what they look like.  Hmmmm…. interesting.
  4.  You create a free Gmail account with a username similar to one of the aliases found on either your target’s MySpace friends list or their Flickr contacts list.  You craft a well written email to the target claiming to be the person whose alias you stole.  The goal is to get the target to reply to your email.  This email also contains an HTML embedded photo that you placed in a very obscure place on your public web server.  You placed it in an obscure place so that no body else would accidentally find it.
  5. Your target checks the email and believes that you probably are who you claim to be, so they happily reply.  The email they send back to you has a “From:” header that includes their full name.  In the process of checking the email they also opened/accessed the random embedded photo housed on your web server.  You check your web server logs to see what IP address accessed the photo. (Note: You may also be able to get their IP address from the full headers in the reply email.)
  6. You take their IP address and plug it into the WhatIsMyIP IP Lookup tool which returns the geographic location and city where their IP address originates

So let’s recap… You started off knowing only a person’s online alias, but now you know their full name, city and location, email address, and you have their photo.  Finding their physical street address at this point is a cakewalk.  One could make the argument that not everyone is quite this easy to track down online.  But you do have to wonder, how people actually are?  I bet there are thousands of them… and I’m also pretty confident that you know a least a few of them personally.