It’s Super Easy to Find Your Home Address and Cell Phone Number
Podcast: Play in new window | Download
Ep 11: It’s Super Easy to Find Your Home Address and Cell Phone Number
In this episode, we talk about just how quickly and easily someone can uncover your personal information such as your home address and cell phone number. This is certainly not newsworthy information as it has been possible to do this for years but the number of people who are scammed, stalked, or otherwise because they do not know what information of theirs is easily accessible is alarming.
This information could easily be crafted in an attack to gain access to bank accounts, retirement accounts, home titles, identity, and business networks. At this point, it’s unrealistic to believe that some of your data is not publicly available but there are ways to protect yourself from an attack.
To illustrate this again I performed the same type of research on another recent college graduate who did not believe I could find his cell phone number. This one was a little more challenging because the number was actually in his father’s name but he was shocked when I called him and told him what else I uncovered, in less than an hour.
This type of information gathering is almost always the precursor to a social engineering attack. Attackers will gather as much information as possible before trying to socially engineer you. The more they know the easier it is to be convincing. That’s why you need to be prepared.
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks. It’s time to educate.
Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused security minded proactive IT service provider. Welcome to Episode 11. This is the real episode 11. I am Scott Gombar, your host. And the last episode I uploaded was episode 10. Even though in the podcast I said episode 11. It is not episode 11. This is episode 11. We’re going to do a little bit differently this week. And I think maybe the next couple of weeks it’s it’s going to be storytime. So this week, I’m going to talk about a scenario and I’m going to leave names out for obvious reasons you’ll you’ll understand soon. I was at a sporting event for my one of my children. And over here a few of the moms discussing someone who borderline stalking I guess. And that person pops up on the internet, wherever they are, they’re able to communicate with them despite being blocked. They pop up in physical locations that they attend. So let’s say the mom attends a parent teacher conference. Somehow this this person shows up there as well. They do random text messages, Facebook messages, LinkedIn messages, all of the different platforms, all the different ways of communicating. I don’t I don’t recall hearing WhatsApp, but I suppose it’s a possibility WhatsApp messages, which we’ll have another podcast about in the future because I have started receiving a lot of WhatsApp messages out of the blue. From people I don’t know, they’re obviously scams. But I think that’s where a lot of romance scams are taking place now. So we’re gonna, we’re gonna go over one of those in a future episode. So I overhear this conversation going on between a few moms. And I interject, and I say, you know, is there something I could do to help? Now at this point, the moms don’t they don’t really know who I am, what I do. So I, you know, introduce myself and tell them that my primary business is it. However, I do a lot with information, data information. And I guess well, it’s open source intelligence is what it comes down to. And so the book that I am still very slowly writing is loosely around open source intelligence and social engineering and phishing, and so forth. Alright, so I interject in this conversation, and in so after I introduced myself, they, you know, obviously, they’re not that comfortable with me. So they tell me the basics. And then, you know, the question is, well, how does this person always know where I am? How to find me get a hold of me. Contact me message me, even when it’s unwanted. Apparently, some of the messaging occurs very late at night. And this is where my open source intelligence gathering skills come into play. So I said, Okay, here’s what we’re gonna do. says in the middle of the week, I say, and I know that this group of parents is going to be back together in a couple of days. I say, Give me those couple of days. And I’ll show you how easy it is to find out enough information about where you’re going to be where you live, how to contact you, and all of this, and how easy it is to do these things. All right. I go home, and I begin working. All I have is a name. That’s it. I have researched the name. The name is not completely unusual. But it’s also not extremely common either. It’s not, you know, it’s not John Smith. But it’s not boom chic or anything like that were designed going to be one person in the entire half of the United States name that name. This is someone with a somewhat uncommon name.
Enough so that I was the only person in the state we were in at that time. simple Google search. And what do I come up with, I
come up with all of the social media platforms, including LinkedIn, LinkedIn shows me what they do for a living, I come up with their voting, you know, your voting records or online, your party affiliation is online. And from that, I’m able to also now find where they live, I got the exact address of where they lived. I got their phone number, their cell phone number, I found pictures a little, you know, they weren’t adult, they weren’t, you know, triple X rated, they were a little risque, I found those pictures. I found family members. If I wanted to, I could do a lot more damage with the family members, reaching out to family members pretending to be someone I’m not. And I could say, you know, so and so’s looking for a job, they applied for a job at my company. And we’re trying to get some background information, can you provide, you know, different pieces of information that could be useful. I found divorce records, divorce records are public, you can find those anywhere. You can find arrest records, this particular person did not have arrest records. But you can find arrest records very easily on the internet. And I did all of this for free and did not pay any service whatsoever. To find this information. Now there are services out there, where you could dig even deeper, and find even more personal information. And those services are not by any stretch of the imagination, expensive, you know, the couple 2030 $40 a month to have those services, and be able to search people up, basically a background check. And now, so I’m gonna say I did most of this with Google, a little bit of social media, voting records, things like that. Court records, all all publicly available all for free. There is a movement to move to allow people to remove their information from Google. And that’s great. The problem then becomes Google is Google. Google does not own every website out there. And internet, they don’t know they don’t own the judicial sites, they don’t own the background sites. They don’t own the voting record sites. They don’t own LinkedIn, Facebook, Twitter, Instagram, they don’t own Pinterest, all of these things are not owned by Google. So no matter how hard you try, your information is still going to be on the internet. Even worse, they don’t own the dark web sites. Now, I did not go on the dark web for this particular instance. And that is because I wanted to show them how easy it is to find their information without really digging in deep without digging my heels in and finding information on the dark web and finding information on background sites. And without using open source intelligence tools necessarily, although I consider Google a open source intelligence tool. I wanted to show them just how easy it is. To make it even more interesting, I then began texting them from another number, pretending to be the person that they said was was able to find them whenever they needed to find them whenever they wanted to find them not need. But what it is incredibly easy to spoof a phone number these days, I personally have half a dozen phone numbers I could use at any time now those phone numbers are fairly public. And people know where to find me and how to call me and contact me and text me. But it was not hard at all began a conversation pretending to be this other person and, of course quickly got annoyed and blocked it. So I only wanted to do that to show him how easy it was. And, again, you can get well, you could get a Google Voice number for free. And you can get other phone numbers for a few dollars a month. It’s not hard at all. You don’t need a whole new phone. You don’t need anything. You could just get an app. You know, Google Voice. If you get a Google voice phone number. You download the Google Voice app and you start messaging them from the app. It’s really not hard. I actually did this to my brother once many years ago. I mess with his head a little bit and Ah, he never, if you ever hears this, he’ll know it was me. But he never did figure out it was me. But I was I was just messing with him was just some fun. It’s not hard, it’s very easy to do this. So in that short two days, I uncovered name, family member’s home address their job, I didn’t dig in and find where they worked. I just know what their job title was. Their social media accounts, their divorce records, I found that they had no criminal records their voting records.
So now, you know, with voting records, if they voted, if you see that they’re registered as a Democrat, or Republican, you kind of know, some of their ideology, some of their their belief systems, especially these days in age, this this day and age when Democrats and Republicans seem to be polar opposites at this point. Now, if they’re registered Independent, then it’s a little more difficult. You could tell by social media posts, you could tell by by the way, if you, if you have Facebook or Twitter any other account, and especially if you have somewhat questionable material, it’s your best bet is to block people that are not your friends. So you know, all all social media can eat allows you to do this. So if I looked you up on Facebook, and I see these pictures of you with barely any clothes on, and those are posted to the whole world, and so the whole world can see it. Well, first of all, they’re also on Google now, because Google’s going to index them. But also, anybody could see those and potentially use that against you. How many times have we seen where a celebrity an athlete or someone has, has had their Twitter account posts from 10 years ago, be drugged up and reviewed, revealed to the whole world, expose them, and in some cases, ruin them, ruin their careers. If they’re running for some type of political office ruin, ruin that career, if they want to be a judge or something, their careers could be ruined, potentially, depending on what they’re trying to do. There is the the woman who had an only fans account, but was also I think she was a nurse or something in healthcare. And the only fans account was made public, made public knowledge to her employer, she ended up losing her her full time nine to five job, I don’t know if it was nine to five, but full time nine to five job in health care, and now she’s only doing only fans and I don’t remember the name, but I remember reading the story, believe that she was out of Canada or something. So what you post in make available to the whole world can be used against you, potentially, you know, if I’m posting racist material on the internet, and I want to do business with a very diverse company that that company is not going to want to do business with me if that information is made public to the whole world. I don’t do that you can look. And as a matter of fact, I met with a potential client earlier this week as I’m recording this. And one of the people in the office said, Yeah, we did our background check on you. And we looked you up and they really dug in. They looked up my information on all social media platforms to see what I’m posting what I’m sharing. And all I really share is the IT stuff, the social engineering stuff, and some dad jokes and things like that. And sports sports, big sports fan. So I don’t really share a matter of fact, I barely share pictures of my kids anymore, or where I’m going or things like that. So now it’s good time. I show up few days later, I think it was a Friday. So we’re there, and we’re having a conversation and I said, Well, you blocked me after I text you. And she’s like what? I said, Yeah, I text you. And I told you that I was you know so and so I tried to start a conversation with you pretending to be so and so so and so is the person trying to the person borderline stalking them. And again, I’m defining stalking as dangerous behavior. At this point, the person is just contacting him out of the blue, maybe having appropriate or attempting to have inappropriate conversations. They’re not being you know, they’re not following them around. They’re not making threatening comments. I want to be clear, any type of behavior, even if it’s just contacting them, even after they’ve been blocked. Is should be considered dangerous because it can escalate quickly as we’ve seen things escalate quickly. These days. So if you’re being even messaged by if you’re receiving unwanted messages, unwanted advances, unwanted communications, especially after you told the person and blocked a person, you should report it. I’m not sure if this this person reported it after, but I do know I did tell them that they should absolutely report it because it could escalate. Alright, so I said, Yes, I messaged you. And this is the phone number. And I showed the conversation to her. And she was blown away. I didn’t know is that easy to get a second phone number. And honestly, it wasn’t my second phone number. I’m
not even. It’s an app I barely use. But I do know how to use it. And I do use it just for these kinds of scenarios. So she’s blown away by that so that I bring up my my worksheet. And I show her all the information I found. Again, within I don’t think I spent more than 30 minutes on it, to be honest with you, except for the texting part. I did not spend more than 30 minutes on I found home address should be scared. This is a single mom should be scary. Home Address, party affiliation, all social wire, I don’t know if it’s all but at least three or four social media accounts. What she does for a living her birthday, I found her birthday. And I failed to mention that earlier found her birthday. So the day the month in year, which has a lot of information already her cell phone number, obviously I texted her What else that I find email address associated with her divorce records, previous addresses how long she’s been at our current address of could have filed criminal records if there were any that did not appear to be any. Sometimes you have to dig a little if it’s not in the same state you’re in or if you don’t know that they were in another state, you might have to work a little bit harder. In this case, I knew she was a lifelong resident of the state we were in family members, which could also be dangerous. And if I really wanted to I could find her employer. I did not again, I did not go that deep. I wanted to just have enough information to say this is why this person keeps contacting you and you’re not able to stop it. You should report it because it’s really the only way you’re going to stop it. If that doesn’t scare you, I don’t know what else can scare you. It is that easy to find information on on people. I could look up anybody now. Now if you have a name like John Smith, yes, it’s going to take a little more work to narrow down the right person. But again, not that hard. And I did not use what are classified as open source intelligence tools. I use Google and social media and voter records, Judicial Branch site. I did not go out of my way for this challenge at all. 30 minutes of work is all I spent on it. I spent more time documenting it than I did actually doing the work. If this doesn’t scare you, if this is this is not a wake up call, then I don’t know what it is because now we’re talking about people that are constantly scanned, like how does it happen? Alright, so I get a text message. I’ve got two text messages. Last week, I believe they were almost identical in nature and the text messages were something about my Amazon account being suspended. I’m trying to find it now as we’re talking something about my Amazon account being suspended in so you get that that gnawing pit in your stomach, and I got it. So I know these these are fake, but the second I saw so I have Amazon accounts, multiple accounts. I have Amazon Web Services accounts. Alright, here it is. We’ve suspended your Amazon account due to unusual activity, new login from Safari and it gives this IP address based in Iceland. Our system has canceled all your pending orders. So pending orders, so for me, I knew I didn’t have any pending orders. I’m done with it right there. But I took a second so wait a minute, I know better than this. This is a this is a phishing text message SMS they got my phone number somehow somebody found my phone number and somehow connected to Amazon possibly or they just guessed, it could be the spray and pray method. I don’t know. But people forefoot all the time. And if your cell phone number is out there and mine is I’ve had my same cell phone number for
I don’t know 50 More than 15 years. So mine is obviously out there at this point. And
unfortunately, where we’ve reached the point in the war A world where information is out there, it’s available, it’s going to be found. Now it’s a question of protecting yourself knowing what to look for understanding that the dangers that are out there understanding that it’s super easy to find information on someone. I’ve been just, you know, I’ve been challenged in the past to find home addresses and was able to find them by other people I know. And did it within minutes within, you know, five minutes or less. It’s not hard at all. And the information is out there in a really, you know, when you purchase a home, the information is on the internet, when you sell a home, the information is on the internet. These are all things you need to understand that the data is there, it’s not going to disappear overnight. It was always there. You know, probably the last 10 years or so it’s been every little bit of data has been uploaded to the internet. It’s there. Assume your data is on the Internet, whether dark web, whether it’s Google, whether it’s Oh cent, open source intelligence sites, social media, whatever it might be. And I know there are some people who just don’t care, they just share everything. You know, I removed my birthday from every platform out there, but you can find my birthday, let’s be realistic, my birthday is going to be found somehow. Just assume it’s there. And then prepare yourself for the inevitable it is coming. Whether it’s a phishing smishing voice phishing, which is phishing, whether it’s an email that says your accounts been closed because of suspicious activity, whether it’s some boyfriend from the past or girlfriend from the past that starts stalking you, whatever it might be. It’s out there. assume it’s out there and prepare yourself because it’s common. Whether you want it to or not. Prepare yourself. Whenever you receive something that makes your gets you know, gets that pit in your stomach like, Oh, crap, I’m in trouble. You know, for me, my Amazon account. I have websites attached to it. I have this podcast attached to it. I have a lot of stuff attached to it. If that account gets suspended, I’m in big trouble. Don’t fall victim to something like that. Take a minute step back and say wait a minute. Let me check on let me go to Amazon and login. Protect yourself. If your data is out there, your information is out there. Your identity is not secure.
Protect yourself. Hopefully this is a wake up call for some of you. So next time, we’ll talk about something a little bit different. But until then, stay safe, stay secure.
Transcribed by https://otter.ai
Leave a ReplyWant to join the discussion?
Feel free to contribute!