Identity Hijacking: A Social Engineer's Tool

Your identity is the most precious thing you have. But what happens when your identity isn't you?

In today’s age, your identity is one of the most precious things you have. An identity has a reputation, which impacts what resources it may access. For example, your identity (John Doe) has a FICO score, which directly affects the capital you may raise in a loan. Your identity can also affect your ability to obtain a security clearance or pass a background check.

But what happens when your identity isn’t yours?

Identity Hijacking

Identity Hijacking is kind of like Identity Theft. Basically, it’s identity theft; but, instead of a pecuniary motive, the attackers are motivated by malice (or the lulz). In Identity Hijacking a malicious actor appropriates an existing identity, and changes it into something else that hurts the original entity (what the identity identifies).

Today, I happened upon a blog post on /g/ (yes, that /g/). The blog post is purported to be written by Bryan Østergaard: Why I created the Exherbo linux project (archive here). Now, if you read between the lines of the post, the author is suggesting that he enjoys a particularly heinous form of pornography. The post was truly grotesque and caused me to fume with rage. After reading the comment section, I immediately went and searched for different locations that I could flame this kiddie-diddler, but I came up empty. WTF?

After that, I went ahead and searched for any of the supposed author’s profiles on social media. I came up nearly empty-handed. As it appears, he isn’t really active on any other website besides his Livejournal which was last updated in 2014. After this, I became suspicious. This whole pedophilia thing was probably a ruse about Bryan. But why do this?

Who is Bryan, and whom did he piss off? Bryan (aka kloeri) is the head of infrastructure for Freenode. Perhaps somebody wanted to defame him to take down Freenode? Now, I’m certainly not too fond of Freenode (especially after Freenode banned ##tpbbtsync; fuck you, ~tom), but I certainly feel empathetic for Bryan. What was the motivation and goal of the malicious actor? Ultimately, I don’t know. There is a possibility that Bryan is actually a pedophile, but that appears incredibly unlikely from a cursory analysis.

Amusingly, whomever is conducting this operation, appears to be quite persistent: they’ve set up an Encyclopedia Dramatica page, and the fake blog domain was registered in November 2016.

Implications

So your identity is precious. You actively have to protect it, or you’ll end up like Bryan. You need to stake out space, and have a credible and established presence online. But you also need to maintain some level of privacy. I think I’ve struck a happy balance, and I advise others to do so as well.

The notion of hijacking an identity is concerning. And there are numerous financial, personal, and social implications concerned with the practice. A single hijacked identity isn’t going to hurt society by starting a global thermonuclear war. Rather, hijacked identities can incrementally tear at the fabric of society until we do something about it. Identity hijacking is the newest tool in the social engineer’s toolbox, and it can cause some pretty big issues.

These identities aren’t going to trick a well informed individual. Instead, they will trick reporters and other idiots into making fools of themselves.

An Anecdote

Now, let’s end with a somewhat related anecdote:

I have experienced attempted identity theft. More than a year ago, I received some strange messages to one of my Gmail accounts, noting that I had a new Twitter and Gmail account to verify. But, I hadn’t actually registered them. I figured that this was simply a phishing email, so I went to check the DKIM signature; as it turns out, both emails were real.

Somebody had registered con.cameron9 on Gmail and set its backup account to a similar one that I use. They also took the liberty to register the Twitter handle @CamMystic under the name Dana Cote for me. Luckily, it appears that the account has been suspended. I don’t know the motives of the attacker, but I do know that they wanted to be me.

Not today, NSA

Now this wasn’t exactly identity hijacking, but it still can serve as an example. Some malicious entity tried to take my name (and possibly my accounts). They didn’t defame me, or anything similar, but they could have.

Identity hijacking is a thing, and now it’s in the social engineer’s toolbox. It’s going to be interesting to watch how this class of attack evolves.