How Anyone Can Hunt You on the Internet

by Kit Lange on April 2, 2014

Over the last year, our notion of privacy has been turned on its heel, as Snowden showed us all that the “government is listening” conspiracy folks weren’t as crazy as people thought.  While there are still, unbelievably, Americans who are okay with the government knowing their every move, perhaps they wouldn’t be so happy-go-lucky with all this data collection if they knew that their info was available to a lot more people than just the NSA…and their intents are even more nefarious than our government, if you can believe that.

“But I’m careful!” you say.  You use different passwords for different sites and you use the login code for Facebook and You Are Very Cautious.  Today you’re going to learn how fast someone like me can find pretty much anything I want to know about you—and I’m not trying.  This is not an endorsement for such tactics; I’m simply showing you how a criminal—or just some random jackass you angered on a forum somewhere—can target you for all kinds of bad ideas.  You may think you’re safe, but you’re not.  I’m going to pretend that I saw you post somewhere, and I don’t like what you said.  In fact, I’m so mad that I’ve decided to ruin your life by stealing your identity.

I’m going to look at your email if I have it.  Nine times out of ten, your email is either your name, or it’s some kind of detail about you.  Cowgirl77, bigspender1, johnsmith, etc.  I’m going to go to the site where you have your email (Yahoo, Hotmail, Gmail, etc.) and I’m going to see if you’ve filled out any details in your profile.    You’re “careful” so all that’s on your Gmail profile is Jim H., and your location as Texas.  You think you’re being clever, but you just narrowed my search down considerably.  (You might be lying, but most people don’t.)  Even though your Gmail profile says Jim H., your Facebook uses your real name, and the website you commented on two days ago that sent me into a psychotic rage uses Facebook to power their comment system.  So, now I know that I have the right person–Jim Howard lives in Texas, and while you don’t list the city in your Facebook profile, you post a lot of photos from around the Austin area.  It also seems like you’re a bit of a party guy–lots of pics in various sports bars and whatnot.  You do tag all your friends, though, so that helps me later.  I also think you might have a drinking problem, judging by the frequency of the pics and the fact that you appear drunk in most of them…and that information could be useful too.

Now I’m going to find your family and your job.  The two sites I’d use for this are pipl.com and LinkedIn.  Pipl.com is only one of several linking sites that I could use to do some basic social network analysis.  This search might net me your relative’s names, general age, and maybe even your address (current or past).  I take your name and location to LinkedIn, and I cross-check the Jim Howards in Austin with the list of potential relatives and friends I have so I can find the right one, because most people have at least one relative or personal friend listed in their LinkedIn.  I could also check Facebook for this, but LinkedIn gives me your employer, and possibly your boss and co-workers.  Now the real fun begins.  I already have enough to send your boss an anonymous email saying that I’m a coworker of yours and that I’ve seen you drunk on the job quite often, or even that I was at Shorty’s Sports Bar last Friday and you were there talking about confidential work stuff.  But I’m after your identity, not your job, so we’ll keep going.

I will now look up the county records for Austin and surrounding area for property held by a James Howard.  I’m going to cross-check that info with what I already gained so far, and now I’ve verified your home address.  (If that doesn’t work because your address is an apartment, no worries.  I’ll simply call your apartment complex, tell them I’m calling to verify information on a job application, and poof.)   Next I’ll go to a real estate site and put in your address so I can get photos of the inside and outside of your home (or go to the apartment complex’s website and get a layout/floor plan).  I can get an appraised value of your home, and with a little math, I can ballpark your income.  If I really wanted to do some damage, I’d go put your name in at Ancestry.com and possibly get your mother’s maiden name.

Let’s recap.  In the space of what’s probably about two hours maximum, I may have all of the following:

  • Name
  • Email
  • Home Address
  • Employer
  • Family members and coworkers
  • Income
  • Photos of your home
  • Mother’s maiden name
  • Date of birth

I could even go further if I had the time, and add a few of your friends on Facebook.  Most people are far more inclined to click “Accept” from someone if they see that they have mutual friends, but I’m guessing that out of the 300+ people you have listed on your Facebook, someone’s bound to be stupid enough to blindly click Yes…which gives me an in to your profile.  Would you click “Accept” if you saw that we had 4 mutual friends?  Especially if I made sure that I had stuff on my page that I knew you’d be interested in?  Once I can see your “private” page, I can probably piece together all kinds of information about you:  where your gym is, when you go, the names and faces of your kids and where they go to dance class and school…you get the picture.

In order for me to steal your identity, all I need are your name, date of birth, SSN, and mother’s maiden name.  I’ve already got 3 out of four.  Do you really think I couldn’t get your SSN with a few phone calls to a few places and a bit of social engineering?  Are you okay with some random stranger knowing all of that about you?  If this little demonstration didn’t disturb you, take it for a test drive yourself.  Run your spouse through the process I just described, and take notes only on information that you find through that. Did you get enough to “steal their identity?”  Did you get enough to make them uncomfortable?

There are steps you can take to minimize your exposure, and it’s a good thing to do for a lot of reasons.  Sure, the NSA is all up in your business (more on that later today), and that’s bad enough.  But to think that criminals can do what I just did?  Some crazy freak you got in a debate with on some website?  Imagine your daughter’s college classmate deciding to do this to your little girl.  If someone like me can do it, think about what a criminal who does this all the time can do.

It’s about a lot more than just privacy.  It’s about safety.

 

 

{ 8 comments… read them below or add one }

GWB April 2, 2014 at 11:10 am

You are very right about how carelessly most people pass their private/semi-private information around. It’s primarily because they are sitting at home, inside their own walls, posting “on” their own computer, with friends as their visible counterparts, and they feel safe. It’s psychologically hard (for many) to grasp the extension of that private realm (friends sitting around an electric watercooler in your own dining room) out into public because they are doing it on the internet.

I wonder, Kit, what you could find out about me, based solely on the information you have from my login here. (One of the reasons I comment here is because you don’t use Disqus or FB.)

Reply

Kit Lange April 2, 2014 at 8:06 pm

Is that a challenge? 😉 I’d be happy to give it a shot; I can email you the results.

Reply

GWB April 3, 2014 at 8:13 am

I would like to see what you come up with. I’m fairly confident in my internet posture, but I don’t know. 🙂

Reply

Xavier April 3, 2014 at 1:09 pm

Email, schemail. Dox him, Kit.

J/K. 😉

Reply

Kit Lange April 3, 2014 at 10:03 pm

lol you’re evil. 😉

Starting Project Stalker now. 😉

Reply

VALman April 3, 2014 at 3:21 pm

Since some of us may have a vested interest in the out come, please indicate whether mission was accomplished, without any details about the “target” of course.

Reply

GWB April 4, 2014 at 8:27 am

Heh. Kit did a nice bit of social engineering to get some more info from me. From which she tracked down some information that was close, but not me. My advantage is that I do not do social media, and some of the other places I frequent on the internet (virtual worlds) have no connection to my real name at all. She also didn’t go into full-sleuth mode. 🙂

So, I’m good, but not as good as I could be. I should probably close up shop using certain names and email addresses if I want to be even tighter in my security.

Reply

VALman April 4, 2014 at 10:38 am

Thanks for the update. Sounds as those this might have been a draw. You both learned something which is good.

Reply

Leave a Comment

Previous post:

Next post: