Dale "Woody" Wooden illustrates security concepts through stories. His past posts discussed how attackers mine employees' social media accounts for information. This story is about how attackers can use social media against you.
Let me tell you a story about how social media can be used against you.
Recently, I was on a trip for the weekend with my family. The final leg of this trip we stopped for a restroom break at a gas station in a small town called Robertsonville, NC. All of the kids got back in the vehicle and my daughter said she could not find her cell phone. We had not even pulled out yet.
We did all the usual things - retracing our tracks in the small convince store. There was a sinking feeling as she and I both realized it had been stolen. The few people in the store heard us ask if anyone had seen it, but said nothing. There was a thief in our midst and that bothered me. The phone had some of the last pictures that were taken of my daughter’s dog who had been hit by a car. She was devastated.
We continued on our way and kept trying to call the phone but no answer. So I sent a text and bluffed. I told them I had a security program on the phone and had their picture and location. This time they picked up my call. Long story short, I asked nicely for them to return it, but they choose not to.
I spoke with the local police and told them I’d put a timeline together. In addition, I offered to find any social media info about the incident and email to them. The local officers were considerate and responsive, but in reality, a lost cell phone is the least of their concerns. They told me to send what I could find and they would absolutely do their best once the info was given to them.
The next morning I went online and checked my daughter’s stolen cell phone records and I noticed a phone call the thief had made immediately after the theft. I immediately ran some reverse phone look-up queries. Then, I performed several open source searches for social media and addresses etc. This was great because by the time I called the number most my questions were already answered.
When I called, a man picked up. I let him know I was looking for the person that took my daughter’s phone and that this individual had called him at exactly 11:11 P.M. the night before. He insisted that he did not know who called and that it was a wrong number call. I gently reminded him the call had lasted 5 minutes and that it couldn’t have been a hang-up or wrong number call.
I again asked the name of the person who called him. “You can either talk to me or the police,” I warned. I just wanted the phone back for my daughter.
He eventually said the person was named Ash(*names changed to protect the guilty). Even though he hadn't told me his name, I knew it from my research, and called him by name. He paused, and then insisted he had no other information about Ash. I asked over text message if he knew Jane*, and he replied saying it was his live-in girlfriend. I already knew that. We went back and forth a few more times, and Timmy* insisted he didn't want to be named in any complaints.
These were Timmy's options:
As Timmy was my only lead, if he did not know anything other than Ash’s first name, then I’ll have to give the police Timmy's name and information and let them handle the investigation to find the missing phone.
If Timmy did not help, I would tell Jane--who actually owns the phone he was using--and he could explain to her why he was taking calls after 11 P.M. from a woman he met at a club.
Timmy talked like a scared school girl. Not so much scared of the law, but of Jane! Now I had a new number to track down. No other name. If this number was a real lead, Timmy would be off the hook with the authorities.
I researched the next number and found two names and addresses associate with it. One was an Ashley. When she answered my call, I told her I would prosecute her specifically. I'd noted three cameras from the gas station we were at, and the police would be able to verify she was at the gas station at that time. She claimed to have made only one call and no longer had the phone.
The situation was simple:
She admitted to me she was part of the theft, so I’ve got her.
I told her I knew where lived, and where her friends lived. I informed her I planned to use every legal means to get the phone back and that I was going to turn everything I had on her to the police.
If my daughter did not get her pictures back, I was going to make sure anyone she knows who is involved will be named. No sympathy.
If the phone was returned, I wouldn't press any charges and we would all go our own way.
That's how we got to Melissa* and her number. A little research gives me more information. When I called, she said her friends had been calling her all day warning her someone knows everything about them. She was worried.
I told her if the phone is not returned, I would give the police her address and would take pleasure in helping the police bust her and all her friends. She could also just go to the police station in Robertsonville and return the phone to the dispatch. She decided to return the phone to the police.
I told the police I would not waste anyone's resources by pressing charges.
What This Story Tells Us
The point of the story is that the thieves made just one mistake. One slip! I was able to track down the phone and the culprits through just one phone call the thief made. Your information can be used just as easily. This one phone call gave me enough to hunt social media, addresses, etc. Final note, please don’t steal from children. Had this been my phone, I probably would have let it go.
The police department in Robertsonville, NC were great and I truly appreciate their assistance.