I'm helping a friend with a white-hat type project. He is gathering evidence to expose a fraudulent online business. I would like to help him interact with their site and purchase services such that the bad guys will be unable to trace any of his actions back to him by IP or cookie or anything. I was hoping someone might help me come up with a good plan.
I will need to:
register a phony gmail account
access their website using a browser and create an account
confirm my account with the phony gmail account
purchase services from their website online with a prepaid debit card (no contraband or anything dangerous or illegal)
I was thinking of creating an amazon EC2 instance running windows and using remote desktop, then deallocating the machine after each visit. Does that sound secure enough? If I create an EC2 instance running ubuntu, can I use Ubuntu remote desktop to access it?
I've heard of Tor but understand that I must install a client locally which sounds fishy to me.
