Sockpuppet Accounts – Where to Start?
In OSINT, a sockpuppet is far more than just button eyes on your old and smelly foot garments.
CyBeer of The Week: St. Austell Proper Job
Metal Artist of The Week: Mudvayne
Welcome back to the most exceptional cyber intelligence blog that originates from my brain. It’s Monday, so that means I have some more ramblings for you! How did you ever cope before this? I don’t know either.
So as-is tradition, this week we’re opening a beer. And my friends, it’s a classic. Proper Job is arguably the finest British-style IPA that’s widely available. Zesty on the nose, great bitterness and a wonderful mouth-feel. It’s an absolute stunner.
It also has an older brother called Big Job, which is hoppier and maltier and a punch in the face. It’s phenomenal. Try and get your hands on both and see what I mean! I’m waiting for Giant Job and Insane Job in due course, get on it St. Austell!
I’m also nominating you some amazing metal to join the fantastic beer(s), and that’s the incomparable Mudvayne. These guys are one of my all-time favourite bands, and I’m desperately hoping they’ll come back together one day soon and drop a new album.
They really evolved their sound with each album, and I’m confident after an extended break they could come back and melt my face off with some new bangers. That’s the second reference to getting some pain the face already in this post. Shall we move on?
That’s a nice sockpuppet you have there, be a shame if someone…. Deleted it…
So I wanted to talk about setting up sockpuppet accounts (aliases/research account/fake accounts/” my stalker account”) or whatever you might call them. Similar to last weeks post on getting into intelligence, I see quite a lot of questions and discussions online about setting up and using sockpuppet accounts, and what the best way to do it is.
Back to basics
Let’s start with the basics. A sockpuppet is an account that is not a real person. There are a few reasons why you’d want to use sockpuppets when conducting research (be that into people, organisations or cyber threats), these include but aren’t limited to:
Disguising who you actually are.
- For your own OpSec (operational security), this is usually in the case of looking into things that could come back on you personally, such as terror groups, cybercriminals or organised crime.
- Not to link your personal account to what you’re investigating. Fairly self-explanatory, but I wouldn’t want my Facebook friends to see a sudden interest in something dodgy.
- Using a fake account allows you to create a persona that fits a specific purpose. You might hate cute puppies (if you do, have a word with yourself), but if your target loves cute puppies, then you might need to join a load of pages or groups etc. You can easily create a persona that could better align with a potential target.
- Don’t mix your real friends with people you’ve befriended for investigative purposes.
Creating sockpuppet accounts on sites you don’t use.
- You might not like a particular site or have no use for it personally, so for your investigations you use a fake persona.
- You’ll likely need to create accounts on foreign-language sites, and it’s easier not to stand out if you use a fake persona that better fits with the target audience.
Protecting your personal account.
- This differs from disguising who you are, in that it’s widespread for sockpuppet accounts to get locked out or banned from certain sites. The reasons why this could happen we’ll discuss later, but you wouldn’t want to lose your personal account if you could avoid it, right?
It’s just best practice.
- Using a false persona for your investigations is best practice. No ifs or buts, you don’t want to use a real account that can be tied back to you if you can avoid it. Of course, on the largest western social media sites, it’s unlikely someone figures out you looked at their profile (LinkedIn notwithstanding), but why take the risk when you can easily avoid it?
Is it legal?
Of course, having a false account isn’t breaking any laws, but it likely does violate terms and conditions of some sites, and some would argue that if you have to log in to a website, that whatever you’re doing ceases to be OSINT.
I’m afraid I have to disagree with this view, on the proviso that a login to a site doesn’t mean the information is not open. You do, of course, need to remain ethical when conducting your investigations. It would be best if you always thought about the necessity and proportionality of what you’re doing with regards to the investigation. This includes anything that could breach the Computer Misuse Act (CMA) in the UK or your own geographical equivalent. This kind of activity would involve trying individuals breached passwords on websites to access their account. DON’T DO THAT.
You are also very unlikely ever to need to engage in HUMINT (Human Intelligence) during an investigation. If you do find yourself in that position, you should have appropriate training and understand the risks associated with that kind of activity.
Definition is key
Your investigations should always be defined, and you should have a clear scope on what your requirement is. If for example, you’re researching a company, you wouldn’t find a random staff member on social media and start investigating their family members. You might identify the CEOs social profiles, and maybe their partners as a malicious actor would likely use this information. So you may wish to advise on cyber hygiene practices. But of course, this is all very dependant on the investigation you’re doing at the time.
I also think that you need to follow your own moral compass. You should always be questioning if your investigation is meeting the intelligence requirement and re-assessing if you’re unsure. Likewise, if you get asked to do something you’re not comfortable with, you should raise this in the appropriate channels and with trusted peers to get an unbiased opinion. If necessary, you should then consider speaking to a law enforcement agency. Hopefully, that would never be the case, but if you follow your moral compass and apply some common sense, you will be magnificent.
Sounds good, I’ mma fire up Twatter and sockpuppet
Before you go head-first into becoming Sally/Dave/X Æ A-12, you need to make sure you’re using the appropriate tooling to build and run your profiles. We’re going to talk about building a single persona that remains constant across all the accounts you set up. With this in mind, you’ll need the following:
- Desktop/Laptop with up-to-date web browsers and software updates.
- A Password Manager to generate passwords and store them securely.
- Mobile Phone (ideally a standalone phone you could use solely for your persona)
- PAYG (Pay as you go) SIM card(s)
- Outline of your persona (name, location, date of birth, some biographical information)
- Patience. A lot of it, and a deep passion for text message verification
Most of this will be self-evident, and we’ll delve into the details. However, you’re probably wondering about VPNs, Tor and VMs at this point. These are all valuable resources, and you should be using them as best-practice depending on what you’re doing and the risk associated. However, for account creation, I would strongly advise you to avoid using any of those technologies. Some of the largest sites appear to be able to detect VMs and will definitely be suspicious of Tor and VPN usage at account set up. If you want, or need to use those technologies for your investigations, you should ensure the account has been established a while before you start to introduce them or to conduct investigations.
So let’s set up some sweet, sweet accounts.
So you’ve got yourself ready. For this process, we won’t use a VPN, Tor or a VM as outlined above. It would be best if you considered using a clean browser (doesn’t matter which, but take the time to create a profile on your browser of choice), the beauty about browser profiles is that you can apply unique settings to that profile. So for example, the persona I use primarily for OSINT (and what I’ve used for the Trace Labs events) has a browser profile that deletes all browser data and resets when it’s closed. In a lot of ways, it’s the same functionality as using Incognito or Private browsing modes, but you can add your own extensions and stuff. Highly recommend this approach.
One thing to consider assuming you have a phone you can use solely for a sockpuppet is to create an email address for it first using your desktop. From there, and either using a factory-fresh or reset phone, set the phone up in your aliases details and email address etc. From there, you may want to download and install the apps you need for your persona, as well as additional apps that you’d expect that person to have on their phone.
Remember, the fingerprinting you leave behind on any device could be used to detect your activity, so make it look as natural as possible (maybe don’t have a folder called OSINT with all your social apps in). It probably makes sense to use the phone to create the profiles as well. You should definitely use MFA (multi-factor authentication) where you can, and you should probably consider linking the accounts together (just like you would for your personal account).
Strike the pose
Now, we’re starting to become a person. But you need some pictures, right? Now, this is where it gets tricky. You might be aware of sites like This Person Does Not Exist, but frankly, the photos it generates are hit and miss and can be detected by the largest social media sites. It’s best practice if you edit them not to be so perfectly structured. Ideally, you want to use photos that can conceivably be your persona without giving too much away.
For shots of a face, you might want to think about some facial morphing software (such as Art Breeder) to see if you could combine two people to create a new individual, or in the last case scenario, use a persons’ photos and edit them so that they’re unrecognisable. I’d recommend avoiding that last one though on ethical grounds.
You can get away with only having a couple of images of someone’s face. So, if you use the face-morphing approach and you use the same two people, you could probably get enough variety in angle to edit other photos and then everything else can be back to the camera, face covered etc. It’s not an exact science, but for most investigative purposes, it should suffice for covert research. It would be best if you also considered using photos you take yourself for content updates (perhaps from the same phone you use to manage the sockpuppet).
Obviously, you want images that you can infer are the person who posted them, so things like the back of a head, a pet, a landscape or other subject. If you’re handy with photoshop, then I guess you could try to manipulate any faces to look like the sock, but that’s unnecessary in my opinion. Simple shots from behind and of other things can usually suffice.
Right, I’m in… Now what?
So now we’re set up and logged in. You want your account usage to look as normal as possible. You should have friends. You should post and comment on things, like and share content, play games, join groups etc. If you behave and act like a real person, then you’re less likely to find your account locked out as you don’t raise suspicion. It would help if you also tried to use email providers that wouldn’t set off alarm bells, so stick with those providers you’ve heard of that people probably use. Take the time to establish your account and build a profile before you start going Columbo on Instabook. Less is more.
Now you’ve got the account set up and established; you can start thinking about how you access it. You might want to use a VM or VPN. I think for general OSINT, using a browser profile in a native OS is fine (and so far, touch-wood) I haven’t had any issues with this approach. But if I were to look at something dodgy, I would create a new persona, and possibly specifically for that one task. Nobody said this was a quick and painless process after-all. The approach you need for any investigation should be considered at the outset. So get used to having a stack of PAYG SIMs lying round. And possibly, cheap smartphones!
This consideration also applies to VPN use. A large number of sites block traffic from VPNs, Tor and proxies, which could be sites you need for your investigation. Of course, this is entirely dependant on the risk to you and your organisation if your real IP were to be exposed. You could always consider using a 4G connection rather than WiFi. It’s all about understanding the balance between risk and security, and what you need to meet your requirements.
My account has been locked. What can I do?
In this situation, mostly not a lot. Sometimes you might be ok with using MFA, and that suffices, but if your account is locked and you get the dreaded (photo ID) request, it might be game over. There is no exact science to this process, and accounts could survive forever, or be immediately banned. I promise, though, that if you follow the steps I’ve outlined above, you give yourself the best possible chance of survival for your sockpuppet.
As always, I’m keen for thoughts and opinions on this matter, and indeed any hints or tips you can share with the community. So please post or comment in the usual places. As for me, I’m going to turn up Mudvayne and open a beer.
Until next week.