Don’t Get Hooked by Catfishing

Cybersecurity

Catfishing? Isn’t that what those guys do in those mudholes? Hillbilly Handfishing, or something? There’s a reality show about it!!

Not exactly. In the Internet world, Catfishing is when you create a person out of whole cloth. (A lie, in other words) The word has entered our pop culture vernacular this week with news that Notre Dame football player Manti Te’o was the victim of a catfishing hoax. Since then we’ve heard that Te’o isn’t the only popular football player to be duped – one scam went after several Washington Redskins players. But why? And how?

How is easy. Creating a Facebook profile, a LinkedIN page, and giving them email accounts takes minutes. And no proof needed for any of the above. Then simply post on a regular basis, join groups, and get friends based on mutual interests. No real life, well, “life” needed. Voila! Instant identity!

As for why? That’s also easy. Sometimes it’s done out of boredom, and a desire for romance in a life gone dull. Other times, it’s done to gain information about a rival, or get information out of a business or government agency.

Huh? Information? Flirting online with strangers who will never know your real name, ok, that’s weird, but vaguely understandable. But information about a government agency? How could you get that?

A researcher who has gained prominence for his work on the OWS movement, penetrating it through mailing lists, and similar, had a project to determine if creating an identity, and making it useful, was possible.

He got over 300 people to connect on LinkedIN alone, and over 100 on Facebook, including an Army Ranger, whose photos had geolocation data on them, allowing “Robin Sage” to identify classified troop movements. Members of the Joint Chiefs of Staff allegedly friended Robin, as well as key members of Information Security, and other armed forces groups. It worked.

How about LinkedIN groups? Facebook Interest pages, Google Groups, IRC chat rooms, and the like? Are they all places that, if they don’t already exist, you could create? Find people interested in underwater basketweaving for lawyers? And then befriend them, and get some information from or about them?

It goes back to a simple rule. Don’t befriend people online, unless they’re your friend, in real life. Otherwise, you could unwittingly give up information, or you could trick a friend into giving up information. After all, if a friend request comes with 40 mutual friends, I must know them, right?

Related News

Joshua Marpet is on the Board of Directors of two Infosec conferences, BSides Las Vegas, and Security BSides Delaware. He is also staff at Derbycon, Shmoocon, and as the "InfoSec Megaphone", anywhere else he goes. Joshua is an experienced Forensic, Incident Response, and mobile forensics expert and researcher. As an adjunct professor at Wilmington University, he teaches Information Security at an NSA/DHS certified Center of Academic Excellence. In his professional life, he is a managing partner at Guarded Risk, a proactive forensics and proactive incident response firm.