Finding out how I am being digitally tracked

Adam D
Adam D used Ask the Experts™
on
All systems show clean by Malwarebytes, Vipre, online testers, etc.
Mail server (Windows Server 2008 R2) same
Phone - clean
Minimal online presence, no social media use, no FB, no Google/Gmail account (not on my phone either), no Verizon syncing on my phone, no syncing at all except to my personally run server for my mail.

Samsung S8 Rooted w/ DroidWall, 95% of things locked down, no Play Store, minimal apps.

Problem:  Search a topic, next day (or a few days depending) scam/fake email shows up about that topic.

I want to know what tools, techniques, methods, forensic investigations I can do to track down the leak.

Thanks. :)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I would setup two step authentication on your Google account and change your password.
Adam DIT Solutions Developer

Author

Commented:
I would recommend you re-read the question.
What browser do you use?  Do you have addons installed?  Which ones?
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Adam DIT Solutions Developer

Author

Commented:
Chrome/Firefox - no add ons
Phone - Chrome - no add ons

Thanks.
Commented:
1. From what you've described, it sounds a bit like the the observer-expectancy effect. You haven't really listed out any of the topics you searched for and received spam about. Given the massive amounts of spam about all topics, you might be more attuned to seeing spam email about something you recently searched for and then assume that there was a cause-and-effect from your search, when ultimately, the spam was coming anyway, regardless of your search behavior, but if you had not searched for it, you would not have focused on it.

To test this out, determine a topic that you wouldn't normally search for and is not already among your spam and hasn't been for a while. It may be hard to find one that isn't already a normal spam topic (e.g. my spam filter catches things about math camp, which has no relation to anything I've ever searched on).

For example, perform a search for "ENIAC" (the old computer) and see if you get spam about that or vintage computers in a few days (and make sure you're not already getting spam about vintage computers).

If you don't get spam from that, then step it up to something more specific that has financial incentives like searching for "where to buy old computers" and repeat the wait-and-see test.

But if you're searching for just about anything modern, commercial, political, etc... then you're basically searching for things that are already pieces of spam that hit everyone (some filters block it, some don't).


2. There is a chance that even if scans come up clean, that you're dealing with something that hides itself (e.g. a rootkit). If there is indeed a rootkit infection, then it can conceal itself from all the scanners you're running because it can ultimately control access to itself. The best way to check for this is to burn a bootable LiveCD that contains a good antivirus that can pick up rootkits.

Here's a list of some popular options:
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

...but I'd recommend either the Kaspersky or BitDefender options.

You can also try out Trend Micro's free RootkitBuster:
https://www.trendmicro.com/en_us/forHome/products/free-tools/rootkitbuster.html

In any event, if there truly is a rootkit installed, it could access your email address and monitor your searches.

If there isn't a rootkit and it's not just an observer-expectancy effect, then either:
1. It's an advertiser network, driven by a cookie that links to some account that DOES have your email address. Not much you can do about this aside from just completely clearing all saved passwords and all cookies and all history from your browser, and then immediately performing another search test for some new topic keyword while still not being signed into ANYTHING. The advertiser network will still be there, but it won't be able to identify you and associate your search to your account / email.

2. The sites you're visiting from those results are triggering the spam. Any search result you click on can see what you searched for (it's a standard part of SEO), but what they do with that info is up to them. So if you share your info with them (e.g. sign up for a newsletter or an account with them or something), then they can start sending you spam about that topic or even sell your contact information.
EirmanChief Operations Manager

Commented:
Switch to SRWare Iron or Iridium.  They follow GDPR and remove all the google tracking.

Firefox also has connections to google if you use the "safebrowsing" stuff turn that off or use Waterfox.
Adam DIT Solutions Developer

Author

Commented:
Thank you gr8gonzo for the detailed information.  Not likely to be an observer-expectancy effect, it seems to be more than that.  I have done the test of searching for something obscure and it was inconclusive.  Rootkits - doubtful, have run various tests for them in the recent pass with nothing found.

I am aware of sharing my information with a company will usually result in spam and they will usually sell of my data to another company, etc.  My email addressES are out there and some get more spam than others.  I do not use a spam filter at all, I want to see what is coming in (no, I don't click on anything).  I get all the usual stuff, but it is the targeted emails that happen within a short amount of time of a search that has me wondering where they got that information.  

I want to make sure my systems/servers/network including ISP are not the leaks.

Eirman - as stated there is no Google Activity - I do not have a Google account nor voice activity - I do not use voice to text or search.

Google Advertising ID - maybe, but that would only be associated with my phone.  Again, no Google account, no access to PlayStore.

Search Engines - maybe, since I usually use Google for searching, but again, no ID, no login, no account.

Serialband - thanks for the information, I will have to check into those, but no I don't use any of the "safe browsing" options or pre-load options as it does send my searching/browsing to Google to check it.
"Safebrowsing" is turned on by default in Firefox.  You have to  go into about:config to turn it completely off.

Commented:
Google Advertising ID - maybe, but that would only be associated with my phone.
Not necessarily. Unfortunately, data collection is so rampant that it's highly probable that an email address was somehow leaked at one point, and it only takes one time for that data to be stored forever in a big data system.

Your own ISP is likely not the leak, nor internal network. These days, Google forces HTTPS which means that your search data is encrypted BEFORE it leaves your computer, so it's hidden all the way until it reaches Google's servers.

Now, there could be a man-in-the-middle (MITM) SSL interception happening, but it's very unlikely. The attacker would need to be able to install their own CA certificate into your trusted CA roots. That's not a common practice unless you're intentionally doing it yourself or if you're at a corporate office. If there is SSL interception occurring without that root CA certificate step, then you would see SSL warnings anytime you went to a new HTTPS site (because the attacker would be generating fake certificates on the fly and they wouldn't be trusted by your system). So it's VERY unlikely but possible. Plus, if an ISP were to do that, it'd be the absolute end of their business if word got out about it.

Typically the only thing that ISPs get to see is your DNS traffic (assuming you haven't switch to using a different DNS provider). So an ISP might know that you went to www.somesite.com simply because your computer asked them what the IP address was for it, but they would have no idea what page you went to, what data was sent or received, or anything else about it. And again, any sort of spam-related "monitoring" that any ISP did would be catastrophic if it became verified news.

If this is a result of big data collection by the search engine or an advertising network, then using safe/incognito browsing on any browser would avoid that since you wouldn't be using any existing cookies, so there's no way for a remote site to distinguish who you are (there is no guaranteed way for a remote site to identify you without cookies).

If you use safe / private / incognito mode and you run another test and still see targeted spam come to you, then it's almost certainly something on your computer.
Google is tracking everything.  You can't stop that if you use google for searching.  You can't stop that if you use Chrome or Chrome Canary.  You can't stop that if you leave "safe browsing" enabled in Firefox.  Google has been evil since 2003, on the day they IPO'd.  They were only self deluding themselves until recently and finally removed their "Don't be evil" motto.

Private/Incognito mode does not protect you from that tracking.  Private/Incognito mode just prevents the browser from saving that tracking data onto your computer disk drive.  It does not affect what the remote server is collecting about you other than preventing them from reaching cookies or data you would have saved if you didn't use private/incognito.   You'd still have to restart the browser or browser window upon each new site that you wish to visit if you want to prevent them from accessing previously visited sites from within the same tab, since that information remains in RAM.  Google Chrome does a good job in preventing other companies from tracking you, but Google still tracks you.

Switch away from Google and 90% of that tracking disappears.  Google is the most invasive tracker that somehow has a lot of people not noticing.  They track data far more than Facebook.  Facebook just got caught in the news.  Google is still "hidden" from public view since they're still much more careful and have had better PR.  They also haven't been "caught" in a data scandal.

Commented:
Private/Incognito mode does not protect you from that tracking.
Ehh... sort of. Entering incognito mode is sort of like having a fresh start with cookies, for that session. So you'll end up with new cookies, but there's no data tied to those new cookies, so the tracking is pretty much useless. It's definitely not practical to just use incognito mode for the long-term, but it's useful for testing to isolate where things are happening.

Google has been evil since 2003
"Evil" ? I'd say that's skewing the definition of evil a bit. Genocide? Evil. Terrorism? Evil. Collecting data about user behavior to grow their own business? Not quite on the same playing field... :)

Also, earlier, the OP said:
I do not use a spam filter at all, I want to see what is coming in
There are several spam filtering services that will "quarantine" spam messages and send you a nice, concise summary each day so you can review and choose to let something through or whitelist an address or things like that. Makes it faster to skim quickly through things that are 99% spam while letting the important stuff through. Personally, I use MailRoute.
. So you'll end up with new cookies, but there's no data tied to those new cookies, so the tracking is pretty much useless

No.  Cookies aren't the only thing they use to track you.  They have multiple ways and cookies just make it easier for them.  They do know when you are in incognito mode and what IP address you come from.  Since google controls chrome, they have multiple ways to track you without the need for cookies.  If you leave Chrome running while you go from website to website, that session stores the current set of cookies in RAM.  You can still be tracked by the server.  They'll just sort the new cookies into a linked database for all the other pieces of information they have on you.

Collecting data about user behavior...
I'm using the term as google founders were using it, when they created their company motto and placed it in their corporate charter.  I find someone invading my privacy to be evil.  I'm against the "1984" pervasive monitoring that already exists in China and I don't want it here in the western world.  Europe considers it evil enough to pass GDPR.

If you're using a phone to browse, Verizon, AT&T, et al... sell your data to 3rd parties.

If you're viewing your spam or email without blocking images, you're getting tracked on their ad/malware server.  They sometimes put single pixel tracking images to track whether you've viewed the data.  That's also sufficient to get your IP address and geolocate you.  I have had email images turned off by default since at least 2003.  I individually enable images when I feel the need to view them.

Commented:
I suppose we have different standards for what we call evil. I don't dispute that Google tries to collect data and use it for advertising purposes. I don't think Google even disputes that. I just don't call it evil.

As far as cookies go, cookies ARE the only thing. IP addresses are not only dynamic but can represent many different people behind NAT. There's no value in data if it is unreliable.

You can also turn on Fiddler and watch the network activity between Chrome and any server it talks to, and you can see what data is being sent. This would include any data sent to try and correlate separate cookies together. However, no such thing occurs.
You don't go by just one bit of data.  IP addresses correlate to locations and that can be used along with other data to correlate your activity.  There's also browser fingerprinting.  There's also sites that you sign in to.  There's also patterns of other sites that you visit.

Here's google trying to remove privacy protections that people actually want.
https://www.bloomberg.com/news/articles/2019-09-04/google-industry-try-to-water-down-first-u-s-data-privacy-law

Commented:
(shaking head) none of the data you mentioned is reliable data (aside from sign-in data, which the OP has already excluded from his own behavior) - it's not data that anyone can correlate into valuable identification.

Look, if you want to believe that Google is somehow persisting your identity into incognito mode without sending the same cookies (at which point you have to ask yourself why they would use cookies at all), then you can believe that. Unless you can provide some sort of proof of how that works (keeping in mind what the OP says he does not do or have, like a FB or Google account), then this is just getting into an off-topic conspiracy theory element. Let's stick to the question at hand.

With that in mind, he can use incognito mode to test out whether or not a "fresh" (no starting/existing cookies) session search triggers the spam. If it does, then the problem is somewhere on his PC.
Let's stick to the question at hand.
I am sticking to the question at hand.  Just because you don't understand how all data tracking works, doesn't make what I say invalid.  He asked to find out how he can be digitally tracked and this is definitely one of the ways.

(shaking head) none of the data you mentioned is reliable data (aside from sign-in data, which the OP has already excluded from his own behavior) - it's not data that anyone can correlate into valuable identification.

One occurrence by itself is not reliable, but if you collect that same data over multiple days from the same behavior, it becomes statistically reliable enough to identify a person.  That's what google does.  Cookies just makes their job easier.  They use those to figure out how the other data correlates, then that knowledge can be used to reliably correlate those users that don't keep cookies any more.  They have such a large pool of data collected for nearly 2 decades to be able to track that.  These days, IP addresses don't change unless you leave your cable or DSL modem off for a few days, or you switch your modem out.  They're leaving the leases much longer.

That's just standard data science that any AI engine can easily parse.  This is not any conspiracy.  It's what data science has been able to accomplish from years of data gathering.

When Netflix released their anonymized data treasure trove a several years back, researchers were able to reverse the anonymization from that data.  This was back in 2007, 12 years ago.  It's not a conspiracy. It's fact.  It's also not done by a person, but by their algorithms that will automatically generate the data to send you to targeted ads.

https://www.securityfocus.com/news/11497 <- netflix de-anonimized
You don't even need that much data to be trackable/identifiable: https://en.wikipedia.org/wiki/Data_re-identification#Examples_of_de-anonymization

This is why I mentioned in my first comment that you would only remove 90% of the tracking.  You can't remove it all.  Every person follows a pattern.  Every pattern can eventually tracked.  The only way to really avoid being tracked is to pipe junk data into all those databases and turn that data into garbage.  (Garbage In - Garbage Out)  While no person is actively looking at your specific activity, their data collection algorithms can correlate your activity well enough to send you targeted ads.

Commented:
If he just started using incognito mode the exact same way as before and used the same session for long enough, perhaps it could be de-anonymized. But in this case, we are talking about a short-lived session to test the tracking theories - not something that is long enough to produce any pattern. Incognito mode isn't designed to be a permanent usage mode.

If he does a short test, there should be no way to correlate that test activity to his email address. While you're correct that IP addresses rotate less than they used to, there's a counter-acting factor of a surge in multiple disparate users behind single public IPs, and most people are still using IPv4. Add to that the surge in popularity of private VPNs and we start getting back to the days of faster IP rotation.

Anyway, if he gets spam after a short test, then that would indicate it's not a result of the advertiser network / big data but rather something local.
Unfortunately, many people use VPNs to bypass region locks, not ta actually make themselves anonymous.  That actually reduces the pool of real anonymous users, making them easier to track than you think.

Using a phone, makes you easy to track.  Phones are designed to be trackable.  Your one off incognito mode only buys you anonymity for that one time.  If you go back to the site, with the same device and same browser just a few times, there's enough data to correlate your activity.  By configuring your browser and web activity to attempt to make yourself harder to track actually creates a more unique fingerprint than leaving the browser alone.

I've had years of changing browsers and setting browser strings while watching apache logs to know how to basically identify myself manually from the logs.  AI can do that more easily.  Unless everyone is doing it, you'll still be easier to track than you realize.

Commented:
This is turning into an eye-rolling discussion. All I'm trying to get the OP to do is to run a short test. That's all. I don't really care that an AI can de-anonymize data from patterns that aren't even going to be a part of the test. I don't care that you can identify yourself in log files (good for you?). I'm just trying to help the OP narrow down where the issue is happening.
I'm just pointing out that if he's been visiting the same sites, he's been automatically tracked by AI.  He wants to know how he gets his scamware/adware when he supposedly doesn't do anything to get tracked.  He's getting tracked more easily than you think.

The only thing incognito/private mode gets you is reduced tracking.  It also stops saving the tracking data to your disk.  It's still running in RAM, until you completely quit the browser.  It does not prevent the sites you visit from attempting to track you.

They can send an ad just from a single visit correlation, because it's advertising that's cheap for them to do.  Don't delude yourself to believe that you can be completely anonymous on the internet.  They might not know who you are from 1 visit, but they know that you visited from that one IP address, with a specific browser fingerprint and saved that starting visit as their initial tracking datum point.
Adam DIT Solutions Developer

Author

Commented:
Well, this has been a very interesting conversation to read from both sides of the table.  Unfortunately, due to work, I have not been able to read it until just now.

I use a pseudo incognito mode (still in Chrome) by blocking all cookies unless a particular site doesn't work right or is trusted.  In which case I only allow the cookie for that particular site and not all the other ad cookies.

For example:  experts-exchange.com

Allow:  experts-exchange.com

Deny:  crazyegg, doubleclick, facebook, nr-data, secure.transfer.redsourceinteractive, twitter

That is a lot of BS (in my opinion) that I definitely do NOT need and doesn't affect my ability to use the site.

I have a static public IP address, so that obviously doesn't help.  My machines are behind NAT, but all traffic is still coming from that public IP.

Due to my location and speed (only 1.5 Mbps) I am not really able to use a VPN as it would just kill the speed altogether.  I do not have a faster option at this time.

On the phone I don't use hotspots (like McD, Starbucks, etc) nor do I use Bluetooth or any over-the-air payment systems (nor store any data like that on the phone).

The most recent issue, was a search for "eye pain" on my rooted android phone w/ firewall blocking 95% of everything on that phone (and again no cloud accounts of any kind) and then 2 days later getting spam email for "eye floaters."

I had not searched for eye pain previously and I had not received any spam for eye floaters throughout the high volume of spam I do receive, I almost want to say "ever."

So, what gave away my search?  There was no login/signup to search for eye pain, there were no emails involved (I have my own email server).  Coincidence?  I tend to think not....

I appreciate the interaction and enthusiasm on this topic and look forward to hearing both of your opinions on the matter.

Thanks. :)

Commented:
I just noticed that you mentioned your phone was rooted. That's a pretty big red flag right there.

1. There have been instances of rooted ROMs that came with malware.
2. Rooted phones are intentionally stripping away a lot of the default security, which might be what you're after but in addition to providing YOU full access, it also provides full access to malware that gains a foothold.

A firewall is not capable of stopping malware. It might block 95% of sites, but we've seen malware injected into legitimate sources and apps before. So if you either got a ROM that came with some built-in malware or if you picked something up after rooting, then that could very well be the source. You could always try installing something like Kaspersky on your phone and have it do a free one-time scan to see if there's anything on it. Granted, if it's rooted, a malware app could hide pretty well. It could just be acting as a proxy that feeds your searches out to a separate server, and it wouldn't necessarily be recognized as malware.

For what it's worth, I personally stopped rooting all my phones about 5 years ago because of the surge in mobile-focused malware, and because rooting wasn't necessary anymore to turn the phone into a WiFi hotspot (which used to be the only way to do it a long time ago). You can also optionally install from non-Play-Store locations without rooting, and most of the vendor bloatware can either be uninstalled, disabled, or doesn't take up almost any resources, so most of the old reasons for rooting just aren't applicable anymore.

In any event, I would try to test to see if searches on your phone vs. searches on your PC have different spam outcomes. For example, if searching on your phone results in spam, but searching for a separate topic on your PC doesn't, then that would be a pretty big indicator. Maybe search for some other kind of pain (e.g. foot pain, stomach pain, leg pain, etc - just work your way through the body while testing).
Adam DIT Solutions Developer

Author

Commented:
Thanks gr8gonzo.

I agree, there can be a lot of injected malware in ROMs or apps for that matter and I very minimally use apps on the phone.  My purpose for rooting, besides the bloatware, was all the internal android services that constantly call home.  I have seen various spam targeting for things both from phone searches and/or pc searches so I don't believe the problem lies in the rooted ROM.

Unfortunately just last week, I broke my phone that I have had for the past 4 years so now I have a non-rooted (not happy about it) Samsung Note 10+ which I am sure is constantly sending back information it has no business sending (I haven't looked to see if I can put Wireshark on there or not).

I'll do another test and see what happens, but I think there is something, somewhere, that is tracking my searches that is tied to an ESN, or my IP, MAC, etc.  I don't sign up for services with my primary email account, I block as much as possible when I do venture forth into the digital world and I don't use social media.  :)

Thanks. :)
Use noroot vpn to redirect all the app access to null.
Adam DIT Solutions Developer

Author

Commented:
Thanks for your help.  I have not had much time to completely research this problem and the spam I see still appears, on occasion, to be related to my systems, but I still cannot say completely at this time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial