Obtaining 25 Bobbleheads: A Journey Through Social Engineering and Fake Profiles

Early in my career with technology I had always been drawn to the security aspects of technology because as more data became stored on the cloud with public-facing entry points the greater the attack surface became. I saw modern security being crucial to infrastructures as without it you are leaving yourself vulnerable to an attack that could cripple your company.

Some Background

The first company I worked for at 21 as a self-taught software developer was in the SaaS space. We had several platforms. We had our main customer hubs, but the focus of today is the one platform that was used as a process for the others with call reviews. It was responsible for handling call reviews and had users from all over the world on it. There was a big issue though where we constantly had issues where users were utilizing TamperMonkey, a firefox extension that allowed client side automated script execution, to automate reviews causing incorrect data. This had been going on for years and there were some problems, where records had missing data, which would break automated processes.

The CEO at the time had even brought it to everyone’s attention because this affected everything. I saw this as an opportunity to show my skills, so I dove in headfirst.

OSINT(Open Source Intelligence):

\ the practice of gathering information from publicly available sources. This includes a wide range of information found on the internet, in print, or through other open channels.

Think of OSINT as like the easy mode for intelligence gathering. Many agencies and law enforcement are known to use this to their advantage. Anything posted on the internet that is public facing is free game for someone to find and use in a goal they have. Used ethically it can be a game changer for tracking down things, people etc.

I knew the users that had been cheating because they all followed a systematic pattern. Now how do I find out who these people are? At least one of them made a major mistake using their personal email on the account.

Google Dorking:

\ A technique that employs advanced search queries to uncover information on the internet that might not be readily accessible through standard searches. It leverages Google's search capabilities to locate specific text strings.

I went to Google and used a technique called Google Dorking to searched with the email that they used and lo and behold: an accurate full name. I started searching facebook next to locate him, I knew they were from Venezuela because of their IP and previous knowledge of users from their cheating. I found one that I thought was actually him, but wasn't sure. I switched to looking for facebook groups that were tied to these actions. This ended up being fruitful because one group was public(and to this day still is) with posts about TamperMonkey.

To maintain anonymity, I created a fake facebook profile following similar characteristics of others within the group. I had a Venezuelan flag as my background and a picture of a famous soccer player from there. I needed to get into the group next, so I just submitted requests to join and surprisingly they just let me in. I joined the group and now I had a list of at least 100 known people actively cheating or trying to.

Where was the script? I didn't see it in the group, but it looked like there was a facebook message group, I requested to join and they let me in. All of the messages were in spanish and even though I knew some I used Google Translate to see what they were saying. It seemed the group had a main person who built it and then was selling it for ~$15. I bought it and now had the means to at least patch one version of it.

Script Kiddie:

\ A person who uses existing computer scripts or code to hack into computers, lacking the expertise to write their own.

It seemed that ~90% of the people using the script had no idea what is was doing actually and required a ton of help to get it working. That worked to my advantage because that means there are less people with actual technical knowledge.

I even found the creator of the script on LinkedIn which was fairly crazy. He was a professor at a college in Venezuela. It's pretty crazy what you can find on the internet from just an email.

From there I looked at the script -> reverse engineered it -> wrote notes about how it works.

Honey-patch:

\ A deceptive security measure that involves deploying software patches that, while appearing to fix vulnerabilities, actually mask the fact that the vulnerability has been addressed, and in some cases, even simulate the vulnerability being exploited, but with the outcome redirected to the defender.

I used a honey-patch of sorts to "patch" the system and log the users that were flagged. I watched this for a while initially and once I felt it was accurate enough I pushed the change to production. It started catching tons of users and I had to push back some because a lot of users were complaining they were caught. Some of course were false positives which were corrected, but that script sat there actively catching users of that version of the script. It wasn't an end-all solution, but pushed back.

At the time, I was the only person still working on it and this lead me to working on helping solve another bug, which seemed related because of data patterns that the CEO asked me to look at as well. I helped fix this one almost completely, but before I could COVID happened and unfortunately it was no longer a priority. It's unfortunate I didn't have time to provide a final fix, but I did what I could with the time I had. If I had more time, the endgame would have been a machine learning–driven detection system leveraging authentication patterns, IP history, timing analysis, and server-side behavioral monitoring to detect and block malicious automation in real time.

For all my hard work over months I was awarded 25 bobbleheads that the CEO had made for me. It's wild how this all started with me using social engineering to gain access to code used against the platform. I had a lot of growth there and learned so much about myself and how to work with a team. Those early days solving such complex problems will always be remembered. #HackerFarm

Even if your login flow is bulletproof, compromised or malicious accounts can still wreak havoc from the inside and that’s why IAM must go beyond just authentication.

What’s Next?

IAM is just the foundation of my new Monday series: Modern Identity & Access.

Coming soon:

• What makes CIAM (Customer IAM) different

• WebAuthn & Phishing-Resistant MFA: Is Bio-Based MFA the Final Boss?

• Why MFA is more than a checkbox

• What XIAM is and why it’s emerging now

• The Identity Threat You’re Ignoring: Session Hijacking and Token Theft

Follow along to understand how identity is shaping the future of secure, scalable systems.

Sure, you could Google it. Or ask ChatGPT.
But OneLogin’s blog and learning center already have the answers and fewer hallucinations.