To track someone with Grabify, you first pick a link that would be natural to send. Then, you disguise the nature of the link by making it appear to be anything from a regular shortened link to a torrent or image file. When the target clicks or taps on the link, you capture their information as they pass through the link to the decoy.
What Can You Learn from a Tracking Link?
The kind of information you can learn from a tracking link depends on the type of link you’re using. There are two types of tracking links that Grabify can create, the default being a lightweight and nearly undetectable redirect to a decoy URL. This default option looks and acts like a URL shortener, and the average person wouldn’t notice it.
From this kind of link, you can expect to get the IP address, country, browser, operating system, hostname, and internet service, provider. For someone that’s harassed online, that alone may be enough to file a police report or press charges.
If you want to use the advanced tracking link that Grabify offers, the target will see a brief redirect page that looks like this:
Because the average user wouldn’t recognize this as something to be suspicious of, it’s generally safe to use when you need more information. Because we’re rendering a page this time, we can learn a lot more information about the user.
With the advanced tracking, we can see the battery level and whether or not the device is plugged in. We can see the make and model of the device, the internal network IP address, the time zone, screen size, and even which way the user is holding their device. This level of detail can get downright creepy and can give you the upper hand in proving someone isn’t really who they say they are.
What You’ll Need
Grabify is a web-based project by jLynx that can be accessed on any browser. While you don’t need to sign up for an account to use Grabify, it’s free, and there are some extra options available after doing so. If you like Grabify, you might like some of jLynx’s other projects, so make sure to check those out on his website.
Step 1. Find a Plausible Link to Send
For this attack to work, we need to create a scenario where it makes sense for the target to click or tap a link. There are two different kinds of links we can send, one loads a fake referral page that grabs more information, and the other is a simple pass-through link that is less visible but also records less information.
The less obvious link is the default choice, so unless we want to grab everything we can at the risk of tipping off the target, we can focus on finding a reason to entice the target to click or tap on something. Unlike a canary token, which takes you to a suspicious dead-end page, Grabify lets you choose where you want the victim to end up after they click or tap the link, making it a lot easier to prevent your target from knowing you’re setting up a trap.
There are many ways to get the link to the target, and a common one is to leave the link in a chat or email on your account, making it look like the link is important or personal. If someone accesses your account and clicks or taps on the link, you’ll immediately know.