This blog series is dedicated to those that have been affected by some crazy people out there. I hope that this can help others avoid being targets in the future.
This is an account of my Tinder hacking experiment as discussed in my previous blogs.
1st of a multi part blog, an introduction to what was done. Remember: educational purposes only. Don’t use this for bad and this is not a pickup blog, be good to others. Karma’s a bitch.
- Everyone online is a stranger unless you have met them in person.
- SocEng is an amazingly effective tool. Always verify the entity you’re communicating with, sharing information only with trusted sources and not get ‘conned’.
Definitions: see the other terms in the first post here
Social Engineer: me (in a friendly, ethical way of course). Other social engineers may not be so friendly and ethical.
Target: the person at the other end of the line.
- This is not a comprehensive research experiment, quick observations only
- No one was hurt during this exercise.
- Blind testing, duh…if I had told everyone up front, my cover was blown and would have skewed the exercise.
- Minimal phishing will be done. Like Aikado, we use the offensive force to generate momentum. This is done to maintain neutrality, I didn’t phish it out, you told me.
- Keep it truthful/real, I am using my *real* identity as my cover BUT will maintain a very strict level of OpSec. I didn’t have a cover, no time to create one! Therefore, no lies, smoke and mirrors, etc were necessary.
- Keep it clean, above the belt. I never initiated any sexual topics, scare tactics, etc. I prefer lawyers as friends and not for them to represent me.
- Photos, videos, etc were out of the exercise unless if the target initiates. It was all about ‘the game’, no interest in photos but will exchange photos just to avoid any suspicion. Not to mention, blow my OpSec.
- Extra intel about the person is not permitted. No Googling, recon, etc… It’s a self imposed rule and it’s creepy.
- ‘Seeding’: This is very important, this is where I drop a hint of what is next to come. The idea two fold: mark that a ‘stage’ has been reached and provide the target evidence that this was staged/learn from the experience. The target is able to go back and examine what events just unfolded.
- Apart from banter, plans to make physical contact would abort the interaction (there is an important note regarding this, more later).
- Time limit max a week and full disclosure at the end to the victim (where possible). This also avoids deep emotional attachments, I’m here to research and not to break people’s hearts. The longest was a month and that was an exception rather than the rule. Maintaining OpSec is important.
- There are quite a few external factors involved to get to the discussion stage, again, we’re aiming to see where we can go with a very sparse, untrusted profile. Sorry guys, again, this is not a pickup blog, there are other places on the Interweb for that.
- Examine what kind/quality of information will people willingly expose that will affect their OpSec
- Do cultural/social differences have an impact on the information shared
- Gentle education for the target about OpSec
- About a month or until such time I lose my sanity, which ever comes first.
Why Tinder hacking?
It was a period where there was little opportunity to do any major research, life was busy and I had limited my physical/social contact with people. To keep my sanity, I needed a new hobby that would still allow me to have some sort of human engagement, was fun and didn’t stretch my available time.
Tinder fit the bill nicely, it was also chosen because there is an known exchange component (romance..), easy to get started and perfectly illustrates the absence of a trust model and how to build trust.
Let’s summarise what Tinder is all about:
- Online place to meet people for relationships, etc, etc (OpSec context: there is a common interest which involves an exchange reason for a ‘motive’ ie: love…well, insert appropriate definition here)
- A person will flick through photos and can like or dislike a person (OpSec context: you have NO idea if you can trust the person, remember the SocEng countermeasures)
- If there is a match, you can start chatting (OpSec context: you’re looking for something, what will you do to get it? This is where you have to be on the lookout)
The profile chosen was very ‘mysterious’ designed to invoke curiosity, with a bit of text. The point is to rule out any form of attachment through appearance, maintain anonymity and using Brad Pitt’s photo would be just plain wrong (that is identity theft!). From an OpSec point of view, being different is NOT what you want to do, arousing suspicion will prematurely end your mission.
First observation was my amazement to see the number of people that selected my profile. Note: in context it leaves the target at a larger disadvantage I know a bit more about them then they do about me.
Once matched, out came the SocEng, wit and charm, the first step of any SocEng exercise is to establish context, a story. The timeframe available gave sufficient time to gain trust.
Let the games begin…
- Unless if you’re well acquainted with SocEng, it’s best to be avoid or be apply caution when using social media