Note: This story is based on a real happening but I changed all the information including her name and country to keep her identity safe. You may not get impressed by what you read because you might think, Hey! I can do that too! But dude! its not about what you can do, its always about what you do. Lets go!
So I got a facebook notification that my friend has mentioned me in a comment. I clicked on it and started to watch the video where he tagged me. It was a clip from a russian news channel where a bunch of kids were demonstrating how hackers can steal information from your phone. They were using DroidJack and the video was cringy af. The main character in that video was a 14 year old girl named Harley Quinn and the interviewer was saying she is the youngest hacker of russia. I really laughed at that video and got curious about who is she but I went far away on that path. I wanted to hack her but I didn’t.
Whats in a name? Everything
Lemme show you a screenshot to make you aware of the scenario first.
She shared this news channel’s video from her account but I was interested to know who is she so I clicked on her name but unfortunately it was more like a fan account, she had 4896 friends on it which clearly indicated that it wasn’t her real account. So I just did a quick facebook search and got this:
Damn! There were only two accounts with her name. I rushed to check if the second account was of that girl or not. This account was legit, I saw her comments where she was interacting with her friends and there were several pictures of her including some of her childhood pictures. So yeah it was her real account.
I used stalkscan.com and quickly made a list of her close friends and learned about her interest by looking at the groups she had joined and pages she liked. Instead of learning more about her through her facebook profile, I decided to find out what else I can do.
So I went to the forgotten password page of facebook and entered her facebook username i.e. www.facebook.com/harleygirl and I got this:
So facebook says her email is: firstname.lastname@example.org. Hmmm…so what should be her full email address? By looking at the length of the censored email and first and last characters, I predicted that the email should be email@example.com. To verify this. I went to the forgotten password page again and entered the email this time and got her account in return. So we have her email address now. With her email address I got her twitter handle and google plus account which weren’t active at all.
So I decided to go further googled her name, as she was russia’s youngest hacker, a decent amount of results popped at. By digging deeper and deeper and deeper I found her blog where she used to write poems but there was nothing else much valuable.
After that, I searched for her name in locatefamily.com and boooooooooooooom!
Damn! I have her exact address and the best thing is that I have her phone number. I knew what to do
Wew! truecaller.com is f*cking helpful! It can retrieve information about the owner of a phone number. But this number wasn’t linked to Harley Quinn but was linked to someone named Bruce Banner. I guessed its her dad, so I repeated the whole lookup thing. I added him to whatsapp and refreshed my contacts and he was there. I searched on facebook and I got one account. I bookmarked that account and googled her dad’s organization Hydra Group and then quickly found his website. Just 5 seconds into whois and chill. I had his phone number, house address and email address. I checked if the info matches with the info I already had and it did match.
I organized all the information I had still far and sent it in Team Ultimate’s group chat. I wanted to hack her. Not for any malicious purposes but to check if I am good at social engineering. Well, I actually didn’t tried to hack her but here’s how I would do it.
After analyzing her and her parents’s facebook accounts I realized that she wants to get famous so I guess fame is the bait here. So I would use google to find reputed new channels in russia and would write a email on the behalf of XYZ news channel, like this one:
Note: Social Engineering is based on human interaction, the same email with some document may look suspicious or spam but in this case, we are trying to interact with the victim. Moreover, if you are sending a e-mail of this kind, you should keep it professional.
After getting a positive response from her, I would send another mail like this:
Yeah you guessed it right! That document would contain some kind of payload which would get me a shell over her. Opps! I forgot one major thing, email spoofing! I would spoof my email address to look like this: firstname.lastname@example.org. In email spoofing, we just change the header of the mail to be sent so the receiver sees a different source e-mail address. So I will be sending this mail from email@example.com but the receiver will think its from firstname.lastname@example.org.
I asked readers if I should write this story or should post an actual doxing tutorial *coughs* doxing is a wrong word, it indicates that information is being gathered for malicious purposes, better call it information gathering about a person. So they asked me to write a story and I did but next two articles will be about email spoofing and the step by step process of gathering information about someone.
Till then, keep learning! keep hacking!
Also Read: How I Hacked Someone With Phishing Who Was Aware About Phishing