When misdirection works (too well)

I had a beautiful experience this week and thought I’d mention it, for the benefit of all you folks building fake profiles to make yourselves harder to find (looking at some people from infosec.exchange.) This story is about how my misdirection got found, and worked very well indeed.

It was a beautiful day, and I was scheduled for a meeting with a client’s project manager to find out some stuff about their compliance situation. Spreadsheets as far as the eye could see, but I made the most of it. Client was very compliance-focused, but exactly in the way I did not expect. At one point, I was told “Well a user cannot steal any information,” and when I pointed out that if the user was hacked, this data could get a good price on the black market, I was met with this answer:

But selling or stealing that information is against company policy, it’s illegal to sell it!

I will have this quote printed and framed, one of these days… but I digress.

How a manager found my profile

At the end of the meeting, we got to my “lack of accent.” The manager asked me where I was from, and when I answered with my country of origin, he said: “Ah yes, I can see that! I lived a few minutes away from where you live now!”

My jaw dropped. I thought: Did he trace me somehow? Did this guy research me beforehand? What the hell does he know about me?! My heart skipped a little, and I could only say “Did you?” His response rang a bell for me, finally.

“Yes, your LinkedIn profile shows me you live in this town! I used to work a few minutes away from there. Beautiful town, isn’t it?”

Luckily for me, there are two facts about my Linkedin profile:

  1. I don’t live anywhere near where my profile says I do,
  2. I have indeed been to the town, and can bullshit away if someone noses around.

Keep in mind, the only place you can see my full name is in my e-mail account for the client (I never sign with my full name, only $firstname), and I did not send my LinkedIn profile to this guy. I thought that the only way he could’ve found me is if he actively snooped around for me.

Did he snoop around looking for me?

Actually, no, but I wasn’t ready for being interrogated about my whereabouts. When I started working for this client, I got the full external employee package: An e-mail address, an Active Directory account, and a beautiful “contractor” label as part of my e-mail address. When I first logged into their system, I was greeted with a run-of-the-mill Teams screen, but there was something different. If I opened my profile, I could see that the client’s Office suite included a “handy” LinkedIn integration. I have no clue what purpose that would serve, since you could probably only see people’s Linkedin profiles if they worked at this company, but what popped up when I clicked on my profile was a Linkedin profile. My Linkedin profile. A misdirecting Linkedin profile. I created it about a year or two ago, just to give recruiters a good run for their money if they wanted to find me. If I give someone my full name (or someone else does, without my consent), they’ll be met with this profile I created. It is close enough to my own life that someone would take this as a valid point, but not too close that it leads people to my doorstep.

In closing

If you can and have the time, create a second Linkedin profile. Hell, create a third, a fourth! With each one, you should choose one piece of information and make the rest mislead someone in another direction.

  • If your name is your legal name, have this profile live a few towns away.
  • If your town and name match, make it a different photo or profession.
  • If your face is on that profile, make sure everything else is bogus.

Best case scenario? A year from now, if someone gets my name and starts snooping around my Linkedin profile, all the results will be misleading, each one in a specific direction. Sure, there may be a way to figure out where I really am based on where these profiles aren’t, and where I’m not based on where these profiles are, but that’s called deviation.

Hope you enjoyed this little story!