Stitching Together a Useful Sock Puppet Account
Originally Posted in 2023
After finishing up TCM Security's OSINT module last week I wanted to expand upon a few topics with a little more detail. I'm starting with sock puppets since I struggled to find a comprehensive blog which had been produced in the last 6 months, especially knowing that new tools come out often/social media platforms change up so much. In the cybersecurity world, a sock puppet account is a fake account that is utilized in OSINT and other investigations to do research and even converse with targets. I have some significant experience with sock puppets and although that may make me sound like a weirdo, bear with me. I have created a number of sock puppet accounts to chat with romance scammers, I've also done reconnoissance for a number of pentests, competed in OSINT CTFs, and am just naturally cautious about people online so have utilized sock puppets in a multitude of ways for my own research. This takes us to the most important idea to consider when making these accounts: what is this sock puppet for? This splits, very much, depending on the intent of the user. Disinformation bots, catfishing, sextortionists, troll accounts, romance scammers, these are just some of the reasons someone with malicious intent might make a sock puppet account. I will not be going into detail on how to build out these types of accounts. Further, if you're creating sock puppets for mischief, I wish you 40 years bad luck. For those doing good, utilizing sock puppets can be a powerful way to hide a helpful identity or be used to perform research/reconnoissance (see @SwiftonSecurity on Twitter). Common questions to help build out the sock persona can be:
What is my primary goal with this account?
Does the sock puppet need to be male, female, or can it be other?
How long will I need this account?
Will this be the only account I need to achieve my objective or will there need to be others?
How will my sock interact with people, how will they speak? If the persona is that they are born and raised in New York, you'll need to come across as a New Yorker.
Ultimately, practitioners that spend time considering this "why" and on the psychology around their sock puppets will have high levels of success with them.
Save those fake eyeballs for DEFCON and no we won't need any old socks.
Most Important: Sock puppet accounts should not trace back to you in any way, not to your IP address or phone number. They shouldn't connect to your other social media accounts or use actual photos of you, your family, or anyone real. Here's what you will need to be successful with sock puppets. Potentially $$:
A separate phone number. I will set up a separate line or utilize a Google number, based on the need. Meta, for instance, seems to freeze accounts more often if they are a Google number. Maybe obviously, don't commit too much to these numbers as you'll likely burn them at some point.
A separate machine that you are not using for other work that has enough power to run virtual machines easily. The Trace Labs CTF VM has a lot of great tooling build in already: https://www.tracelabs.org/initiatives/osint-vm
A VPN - do research here to find one that fits your needs. Here's a referral link for PIA - http://www.privateinternetaccess.com. You can also rock free trials but just be careful.
Burner credit card/crypto.
No $$:
Social media accounts
Encrypted email
Password manager
Note app
Wifi phone number
Fake photos
Burner Amazon account/other accounts as needed
For fake photos, I've used a handful of websites to generate profile pictures, mostly sticking to https://this-person-does-not-exist.com/en. Just be so careful to refresh unit you get something real because monstrosities like this will happen.
If you don't want to spend time creating a persona, platforms like https://www.privafy.me/sockpuppet/ exist (s/o to Keaton Fisher for the find here). Echoing Heath Adams from the course, I just want to highlight one part again, one of the most important non-technical skills in an OSINT investigation is the ability to get and stay organized. In the past I've used Notion or OneNote, whatever you use just make sure you have a way to find information easily and it is very helpful to be able to create templates so your sock puppet accounts stay consistent. I've actually been on phone calls before with scammers and needed to quickly recall more specific details about my sock puppet account, so that organization of details has been critical. It should be noted by the OSINT practitioner that a solid sock puppet (and especially a community of socks) can take quite some time to set up. Establish these well in advance of the time you are going to use them and be careful to not add connections too quickly or message others too often, especially at first, many a sock puppet has been sent to cold storage due to impatience. There is nothing worse than trying to set up a sock puppet while in the middle of an investigation or project while trying to trick the AI on the other side to see you as legitimate.
Bringing that puppet to life.
General tips, all helpful:
After the persona is fully created, create the accounts for your sock. Email, LinkedIn, Instagram, blog, the depth depends on your intent. For romance scammers, you need very little - 1 account, you're phishin' for a scammer boyfriend (or girlfriend)
OSINT your sock puppet before launching it. Look for flags that you yourself would find alarming and fix those things. Do research on yourself, it goes back to setting up a history on yourself.
OSINT your sock puppet all while using it, don't sleep on Googling yourself ever but especially if you are end up having a higher profile sock puppet. You are going to want to know if you need to change up your procedures.
Unstitching the character.
One simple sentence here - take notes on what you do so that when you need to burn your character you just go backwards. Simple!
Identifying and defending against sock puppet accounts.
I have not found a better explanation of identifying bot/sock puppet accounts than this: "Bots and sockpuppets are best identified through five key features: IP-based correlation, temporal-based correlation, signs of automation in metadata, social subgraphs, and content similarity. However, just because two bots share similar features doesn’t mean they operate in the same way. Techniques that identify one type of bot network may be totally ineffectual at identifying another network." - Daniel Kats Norton
And if you're like me, trying to think like an attacker, you'll have taken note to be careful of the five things above.
Use platforms like https://botsentinel.com/ or https://botometer.osome.iu.edu/ to check on specific usernames. Check on yourself and check on who you are talking to.
It's important to note that it's good to always research for new tools and platforms, there's really cool stuff being launched all the time that will assist you with your puppetry. One of my recent thoughts was to see if I could customize a sock persona using a platform like Midjourney but I don't think we're quite there yet in terms of the prompt recognition. If this blog is older than 6 months, I would suggest you do your due diligence and go Googlin' for new techniques and things.
Most importantly, there is 100% a correlation between f*ing around and finding out so have fun and play and experiment. You can mess up but you can't fail when it comes to sock puppet accounts.