Meeting Jane and John Doe: Ficticious People and Their "All Too Real" Exploits

Meeting Jane and John Doe: Ficticious People and Their "All Too Real" Exploits

by Noell Letourneau


The use of ficticious people as a tool of deception has occured since the dawn of man. A formal definition of the attack method is "impersonations or false identities that are used to bypass controls, manage perception, or create conditions amenable to attack" [2]. Creation of a ficticious person is quite easy due to the abudance of services that offer false identification cards, birth certificates, green cards, etc. Also, many web-based sites include user profiles that make it easy to create a ficticious identity. There are many incidents that have occured in the past few years that involve the use of ficticious people as an attack method. The events not only show the clear connection between information systems and the attack, but also showcase associations between this attack and other known threat/attack profiles. Effects on the victims of this type of attack can be devastating, particularly financially and/or psychologically. The Internet has aided the development of this attack by making it easy to create fictional identites using the profiles or services discussed above. Fictional identities may also be used for good, although that is often not the case. Finally, while the problem is continuing to escalate, there are some major efforts underway to help prevent these attacks from happening, particularly in the FBI.=20 [2]

The Introduction:

Imagine a puppet on a stage, dancing, moving, talking, performing. It may seem almost lifelike, almost real, however it is controlled by the puppeteer, the one who holds the strings and manipulates the doll as he or she pleases. Fictional identities are very similar, those who adopt these identities control them and manipulate the characters to further their own goals or ideas. No matter how real they seem, one always has to remember that there is someone else behind them, pulling their strings. Using ficticious identities, people are able to cause confusion, damage, and other related problems wherever they go. The word ficticious means "Imaginary, something adopted or assumed in order to deceive, an assumed character or part" [1]. The negative connotations are clear from this definition, as ficticious people aim to deceive others. Ficticious people can be defined as, "impersonations or false identities that are used to bypass controls, manage perception, or create conditions amenable to attack." Examples of such people include spies, impersonators, network personae, fictional callers, and many other false and misleading identities [2].

Ficticious identities as a method of deception have been used for centuries. Spies, outlaws, people under persecution, and many others have changed their identities and their lives to gain information and destroy enemies, possibly even to survive. It is no different today, currently every year scam artists create over 700,000 false identities in the United States [3]. When considering the history of fictional identities, it's clear that not all cases involve malicious deceit or intent. In fact, during World War II, many master forgers provided false identity papers to Jewish families to escape the terrors of the Holocaust. The ficticious people discussed in this paper are not good samaritans though; their aim is deceit, their intentions are anything but noble, and they act to further their own selfish interests. Now the formal introduction has been made, and it's time to delve into the world of the ficticious person and learn about those behind the facade.=20

=20 The Birth of the Ficticious Person:

The creation of a ficticious identity may seem complex but in actuality it's not.=20 On the internet there are a number of services that offer the creation of fake identification, in the form of driver's licenses, birth certificates, etc [4]. In addition, there are entire websites devoted to the creation of a "new you" [5]. Many people make an illegitimate living by selling such ficticious identities.=20 In North Carolina, one well-known forger travels through the countryside in a nondescript van, churning out fake green cards. Technology has made his process easier, cheaper, and faster: Today, an "identity package" - green card, Social Security card, and driver's license - can cost as little as $100. Buying the equipment to make such identification cards is simple and relatively cheap. In effect, a forger needs little more than a photo on a colored background, a high-quality printer, a $15 laminate pouch, and a few other items to make a fake ID using $29 templates from the Internet. The machines that print out today's new generation of credit-card-style driver's licenses can be bought for a few thousand dollars [6].

The complexity of creating a fictional identity can also be much less invasive than described above. Fictional identities can be created with user profiles on popular sites such as those that provide email (,, or dating services. These fictional identities can be used to exploit trusted relationships, communicate to others, and gain information, all while concealing the true person's identity. The motives for creating ficticious people can vary. Ficiticious identities may be used to cover the real criminal's tracks, endorse products or services, gain access to privledged information or areas, gain entry into different countries, and create/exploit peer (or trusted) relationships. Clearly the motives are malicious in their intent. Often the ficticious person is employed to create or increase conditions that are amenable for attack by the perpetrator. Once again, the relationship can be described as puppet and puppeteer. Unfortunately for the criminals though, their alter-egos can't go to jail and so they must, if they are caught.

The Exploits:

There are several recent incidents that involve the use of a ficticious persona by an attacker or attackers. Each event presents a unique case to discuss and analyze. In order to understand why the creation of ficticious people is such a useful tactic (and why these attacks are able further or cause vulnerabilities which make it easier for subsequent attacks), the connections between information systems and the attacks must be considered. It is also important to look at the attackers involved and their association with known threat profiles. Several of the articles discussed below focus on these associations.