Featured on MTV's Catfish TV series, in season 7, episode 8, Grabify is a tracking link generator that makes it easy to catch an online catfish in a lie. With the ability to identify the IP address, location, make, and model of any device that opens on a cleverly disguised tracking link, Grabify can even identify information leaked from behind a VPN.
Whether it's an online apartment ad that seems too good to be true or a person online you have a strange feeling about, identifying red flags can save a lot of trouble early on. If you live in Canada, and an IP address in Africa lists the apartment you're checking out, you might not want to send a security deposit.
The ability to verify details like the originating device, country, or even the time zone can prove incredibly useful for identifying whether a person is honest or not about the details they share about themselves online. Combined with information like EXIF data, it's easy to compare a geotagged photo or the hard-coded device information in a file against the device that opens a Grabify tracking link.
To track someone with Grabify, you first pick a link that would be natural to send. Then, you disguise the nature of the link by making it appear to be anything from a regular shortened link to a torrent or image file. When the target clicks or taps on the link, you capture their information as they pass through the link to the decoy.
The kind of information you can learn from a tracking link depends on the type of link you're using. There are two types of tracking links that Grabify can create, the default being a lightweight and nearly undetectable redirect to a decoy URL. This default option looks and acts like a URL shortener, and the average person wouldn't notice it.
From this kind of link, you can expect to get the IP address, country, browser, operating system, hostname, and internet service provider. For someone that's harassed online, that alone may be enough to file a police report or press charges.
If you want to use the advanced tracking link that Grabify offers, the target will see a brief redirect page that looks like this:
Because the average user wouldn't recognize this as something to be suspicious of, it's generally safe to use when you need more information. Because we're rendering a page this time, we can learn a lot more information about the user.
With the advanced tracking, we can see the battery level and whether or not the device is plugged in. We can see the make and model of the device, the internal network IP address, the time zone, screen size, and even which way the user is holding their device. This level of detail can get downright creepy and can give you the upper hand in proving someone isn't really who they say they are.
Grabify is a web-based project by jLynx that can be accessed on any browser. While you don't need to sign up for an account to use Grabify, it's free, and there are some extra options available after doing so. If you like Grabify, you might like some of jLynx's other projects, so make sure to check those out on his website.
For this attack to work, we need to create a scenario where it makes sense for the target to click or tap a link. There are two different kinds of links we can send, one loads a fake referral page that grabs more information, and the other is a simple pass-through link that is less visible but also records less information.
The less obvious link is the default choice, so unless we want to grab everything we can at the risk of tipping off the target, we can focus on finding a reason to entice the target to click or tap on something. Unlike a canary token, which takes you to a suspicious dead-end page, Grabify lets you choose where you want the victim to end up after they click or tap the link, making it a lot easier to prevent your target from knowing you're setting up a trap.
- Don't Miss: Track a Target Using Canary Token Tracking Links
There are many ways to get the link to the target, and a common one is to leave the link in a chat or email on your account, making it look like the link is important or personal. If someone accesses your account and clicks or taps on the link, you'll immediately know.
In another scenario, you could trick someone into clicking or tapping a link by creating a plausible context, where sharing a link makes sense. Usually, tactics like "Is this your profile?" with a link that goes back to their profile are the least suspicious, as shown in MTV's Catfish episode.
The first step in tracking a target with a Grabify link is to find a link you think your target would expect to receive. It should be something unsuspicious when the target ends up at the URL, and it will serve as a cover for the tracking link you create. You want to pretend like you're sending them a regular innocent URL shortened version of whatever decoy link you pick.
In my example, I'll be shortening slowhotcomputer.com.
Navigate to grabify.link, and put your URL into the filed. Next, click "Create URL," then agree to the terms, to create your tracking URL link.
Grabify will generate a tracking page, complete with a tracking link and interface with information about each time someone has clicked or tapped on the link. When you first start, it should be empty, although some URL shorteners will use bots to preview the link you're shortening, and that data might show up.
Now that we have a functional tracking link, it's time to start making it look more like something our target would click or tap.
Grabify isn't exactly a subtle URL name, so part of successfully getting your target to click or tap on a link is providing a link that doesn't look too out of place. You can obscure the link with any number of URL shorteners, some of which are available right in Grabify.
- Don't Miss: Use SpiderFoot for OSINT Gathering
Below, you can see the list of URL shorteners Grabify supports. Click on "View Other link Shorteners" next to Other Links on the log page.
If the included shortener options don't suit your situation, you can always create a custom link that looks like an image file, GIF, CSV, HTML, Torrent, or ISO file.
Click on either "Click here" beside Select Domain Name or "Change domain/Make a custom link" in the New URL box, then check out the "Extension" drop-down. You can make it look like you're sharing a file rather than a referral link, which may work better to trick the target into clicking or tapping on your link.
In this custom link menu, there are also options to a different domain from one of the ones provided by Grabify, provide a custom path, and give a custom parameter.
Once you generate a shortened link or a custom URL disguise, you're ready to present it to the target. Once the target clicks or taps the link, an entry will appear under the "Results" section of your log page.
Now, open your target link and see what you get. In the default configuration, you don't use a fake referral page, so you don't get the most information possible.
You should see a detection on your management portal (you may need to refresh the page), and you can select it to view more details. As you can see in my example below, I have the essentials, like the location, IP address, and information such as the internet service provider and operating system.
To kick things up a notch, you can enable the "Smart Logger" feature by clicking the toggle switch on the web interface. The toggle enables a fake tracking page that will be able to extract a lot more information.
Once "Smart Logger" is enabled, open the link again and take a look at the recorded information. This time, you should see a lot more information.
This extra information can tell us a lot. For one, in my example, the internal IP address tells us that this person is likely connected to a VPN, as a standard local IP address would probably look like "192.168.0.2" or something similar. We can also see more information about the specific device that made the request, as well as the screen size and browser extensions installed.
You'll also notice that you can learn if the battery is charging and what battery level is. It could allow you to track a person over a short period, with their battery level either increasing if charging or decreasing if not charging, which could identify the device uniquely. Another overlooked value is the language and time zone, which are often set by the system.
In some cases, we can see the make and model of the device making the request, allowing us to pinpoint the hardware used by the target. Any of these details may be enough to bust a catfish, either by revealing them to be in the wrong state or country, showing a device different from the one the person uses in their (probably fake) photos, or by showing a time zone that makes no sense for where they claim to be.
The tracking technology behind Grabify and other online trackers is powerful, but it isn't impossible to defeat. Much of the information obtained by Grabify is from the user-agent string, so using browser add-ons to change your user-agent string can make you look like a different type of device. With a different user agent, you can hide a lot of your details from a Grabify tracking link. Using a VPN and browser extensions, I was able to mask the country, IP address, and other information about my device.
What I wasn't able to immediately change was my time zone and language, which are set by the system and weren't affected by the VPN or the browser extensions. Because my internal IP address showed a VPN connection, it's likely someone tracking me would assume my information is fake except for my time zone and language. That alone would narrow down my origin to the US and Canada, undoing much of the hard work I put into faking my location and IP address. Because of those types of leaks, it's essential to be aware of the way links like Grabify track you on the internet and what kind of details can give you away.
I hope you enjoyed this guide to using Grabify to generate tracking links! If you have any questions about this tutorial on catching catfish or you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.