Blog: How Tos

Consumer advice: How to avoid blowing your privacy online

Luke Turvey 25 Jan 2017

You wouldn’t have found me if it wasn’t for that meddling internet!

I think we can all agree that the internet is a pretty great place. Google has allowed us to find information that beforehand you would have HAD to make social contact to find out and no one wants that. On the other hand, social media exists where people can create virtual profiles and post various things in order to get many ‘likes’ from others in order to feel good. Oh just me?

The purpose of this post is to introduce how marketers, social engineers, employers and malicious people can use the internet to find out your private information. I will be using myself as the target with default privacy settings in each case, due to not wanting to make someone with terrible privacy options the centre of attention here!

LinkedIn

This is my first point of call when looking for a business person. Profiles can give some great background about a target, but the main thing I am usually interested in is location as it is good for usage later. For example, I could take “Luke Turvey” and “Buckinghamshire” to Google or a Phone Directory to find more information. There are also many other good findings here, such as:

Groups – What is the targets interests?

Education – Where did they study?

Recommendations – Who do they have a close contact with?

Birthday – Can be useful for attackers when attempting to reset passwords…

This is all information which can be collated to start profiling a person.

Phone Directory (BT)

So as we know a location from above and we have a name, we can go hunting for really personal details. I can’t show myself on here as I requested to be taken off due to getting cold called by Specsavers at 3am every day for 3 weeks. Although here’s a screenshot for the search “Turvey” and “Buckinghamshire”. We have addresses and phone numbers, a cold callers dream, cool!

Facebook

Facebook is great website for its users not taking privacy seriously. Facebook cracked down on Privacy quite a bit, although it is still up to the users themselves to use the settings, many don’t.

But first, have you ever had an annoying mobile number ring you or even be send nasty texts but you have no idea who they are? Well, if you try to login to Facebook with that phone number and press “Recover Your Account”

Oh look! Facebook links phone numbers to a user’s account. So Luke, that text you sent me…

Now onto what we can find from a profile. Firstly, if you go to a user’s page and then “Family and Relationships” You may be able to see the user’s close ones, if they have set that up. This could be used to browse family members accounts for information about your target, you may find they have less strict privacy settings too.

Next just try scrolling though the targets timeline, you will likely end up finding more information such as a future date where they will be out of the country, an event they are attending, personal interests and their birthday.

Although depending on how verbose they are on their profile you may also have to shift through a lot of this.

Photos are often a great source to find interesting things. Photos usually have friends and family tagged in, so this is another profile to continue efforts to find information about your target. But the main note to photos is that you end up getting a feel for how your target may act by looking at body language. You can see who they spend their time with and what they do. For me, it’s drinking as seen below. What I am trying to say here is you can use photos to ask a target about the places they have been, to start the connection between you if trying to social engineer.

Of course, various other pieces of information can also be gleaned:

Places checked in – Does the target often go somewhere and where are they now?

Likes – What does the person tend to like, what interests them?

Events – Are there any up and coming events the target is attending?

Groups – Is the person actively part of any groups, could you monitor this?

Friends – Search for the target’s surname in their friends to find potential family profiles to browse.

Twitter

Twitter is a nice place to find rants, whereabouts and snippets of information from a target. Personally it is my least favourite place for information, but still useful and also that phone number trick Facebook has, yeah, Twitter also does that.

So the first thing you may notice when going to a profile is a user’s bio. This will generally tell you a small amount of information about a target, but also their location. You may also want to look at photos/videos shared by the user as this could tell you various things. One thing mine tells you is that I support Manchester City. This might give an attacker a phish motive, free Man City tickets anyone?

Twitter has a very useful search functionality at https://twitter.com/search-advanced

This allows you to search a specific user’s whole timeline for phrases, hashtags, mentions to other accounts, date ranges and more.

A function of this which I think is very interesting, is the emotional response search. This will show all the tweets a user has made that Twitter deems to be Positive, Negative or a question. This is amazing for analysing what makes a target happy, sad or confused and would allow a marketer, malicious user, etc to really trigger emotion in whatever they do towards a target.

Instagram and Snapchat

These two applications are somewhat hit and miss and you are likely to only find a younger target using them. Although, they are very good for tracking the lives of a target. For example, with Instagram, people love taking photos of food/drink and tagging restaurants in them, like so…

Tagged in “English Pub, Iceland”, therefore likely to be currently in Iceland. But you can also use the photos to build an idea of what the target likes.

The three photos above show that I have been to a football match, I am watching football and I have ordered tickets to see a Man City game. Going back to what I said above, this could be a good trigger for a phishing attack. Maybe even a very smart ticket tout that has found my phone number in a phonebook and wants to sell me some tickets.

Something I have found recently is that Instagram users are putting their Snapchat name in their Instagram Bio. Snapchat is a very good one for constant visibility of a target because of the “story” function where users post a current photo/video for all to see.

The example above shows me at the gym 16 hours ago. If you wanted to find me, you could add my Snapchat name and just wait for me to post a photo of my location. Snapchat by default does not require approval to see a user’s story, so you can make a fake account and go hunting… Dangerous.

Conclusion

The idea of this blog was to show how your privacy can disappear. So in conclusion, there is a LOT of information on the internet about you if you use these websites. To recap what could be found out about a person here?

  • Address (Phone Book)
  • Phone Number (Phone Book)
  • Birthday (LinkedIn, Facebook, Twitter)
  • Interests (LinkedIn, Facebook, Twitter)
  • Connections (LinkedIn, Facebook, Twitter)
  • Family (Facebook)
  • Current Location (Facebook, Twitter, Snapchat, Instagram)

That is quite a lot of information that pretty well blows a person’s privacy right out the window. Anyone could profile a user that leaves their online privacy open and therefore to help yourself and not allow this to happen to you, each of these websites offers privacy settings. They allow you to block various information from being seen by others. Here are some links to the settings:

Facebook: https://www.facebook.com/settings/?tab=privacy&privacy_source=privacy_lite

Facebook have made changing privacy settings quite comprehensive and easy, but to test your settings I suggest putting your profile URL into a browsers private mode so you can see what everyone else would see.

Twitter: https://twitter.com/settings/security

Twitters privacy is also quite easy and as above I suggest doing the same private mode browser check.

Instagram:

Here you are can select who is able to view your account. By having this setting on, users will have to request to be your friend to see your photos.

Snapchat:

Here you are able to select who can see your Snapchat stories, it should not be “Everyone”! I have mine sent to “Custom”, which allows me to even stop certain friends from viewing my story. The “Contact Me” relates to who can send you a Snap.