'A sock puppet or sock puppet is an online identity used for purposes of deception. The term, a reference to the manipulation of a simple hand puppet made from a sock, originally referred to a false identity assumed by a member of an internet community who spoke to, or about, themselves while pretending to be another person.' - Wikipedia
These fake social media accounts are used by both sides of the cyber game. You can find hackers, scammers, bots, and other cyber criminals on the dark side while journalists, penetration testers and investigators on the other. Like any decent tool, it can be used for both good and evil. Why would YOU want to create an undercover account? When investigating, it is always a good idea to separate your real identity with the initial investigation. You increase the likelihood of the target will get suspicious. You also run the risk of being identified and doxed, harassed, and in the absolute worst case scenario, targeted for lethal retaliation. Depending on who suspect is, you always need to take the appropriate countermeasures to protect your organization/agency, yourself, and even your family. Another thing to take into consideration is that many social media sites have a Terms of Service (TOS) that specifically cover fake or investigation accounts. Organizations like Facebook are actively looking for these types of accounts, even if they are law enforcement, and banning them.
!!!DO NOT USE YOUR PERSONAL OR BUSINESS ACCOUNTS TO DO INVESTIGATIONS!!!
You should connect to a public WiFi access point and only use VPN or Tor as a last resort. The reasons are that VPNs and Tor are sometimes tracked, blocked, or marked as questionable by websites when crating an account. This means the likelihood you will be able to create the account without having a real phone number decreases drastically. Public WiFi tents to look a bit more “normal”.
I love Tor and always have. Tor is great at offering some of the best anonymity available and the best part is that it’s free. The mechanics of Onion routing is that you are essentially moving through several different proxy servers, and this minimizes trace evidence that can by used to tie the traffic back to its original source. You can easily set up a hidden service with a “.onion“ address. This allows us to communicate securely with other investigators, informants or even suspects. The downside of using Tor is that it is commonly used by criminals and many of the websites we need to investigate may be blocking traffic from Tor or red flagging it. So, even though it offers a lot of benefits, Tor is not always good for Surface Web investigations.
There has been a ton advertising for Virtual Private Network (VPN) services that claim that they will protect your Internet traffic. This is only partly true and mostly false. A VPN is a Point-to-Point encrypted tunnel that allows one network to talk to another through an encrypted tunnel. Think of it this way. You are using a third-party VPN service; your traffic is very secure when connecting from your system to the third-party network. The traffic then routes from that server through their Internet connection. The other thousand people using the same service will also share that same gateway IP address. That sounds fine right? Well, after you leave that service provider, your traffic is back on the Internet for everyone else to see. This means it is naturally less anonymous than Tor.The providers may also be watching everything you do in the name of “Marketing”. Free VPNs and cheaper ones are the biggest risk. The services that claim they DO NOT STORE LOGS are also usually lying or not telling you the whole truth. Within networking, there will always be logs. They are required to troubleshooting when things fail. Logs will be there; it is just a matter of how long and how they are destroyed.Some of the websites are red flagging the popular VPN services.
Some people make these accounts from scratch. The more content and backstory you create in the beginning gives you more of a direction to make the account look like a real person’s account. Use a password manager to keep track of everything you are creating for these accounts including the user/pass info and keep notes. KeePassXC is a great free solution that is cross platform that will allow you to share your password management database among multiple computers and different operating systems.
Creating an account can take some time, effort, and creativity. If you are short on any of those for whatever reason. Anyone that has played roll playing games like D&D, WARHAMMER, or other games where you need to generate a character to play, has a step up because they have done this before. There are a few resources you can leverage to help speed up the process and spit out a "character" with a lot of random attributes and content. Below is a list of resources you can use when generating your Sock Puppet persona. Just remember that all information generated is fake. You can change the data to fit your narrative:
Generating images that have a consistency to them can be a challenge. You want to create is a realistic person with history and consistency. It is important to NEVER use pictures of friends or family. This can put the investigation at risk and possibly them at risk as well.
Creating an email is the base for setting up your undercover investigation account. This will be used for setting up social media accounts and communications with suspects. Any email service will work. Here are a few:
A burner phone is extremely useful and may be required to create accounts on certain websites along with creating a history for the persona. The reason is the sites are trying to prevent fake accounts from being created and will send an SMS validation message to a phone. Bots rarely have their own phone numbers. In some countries, you do not need to tie your ID or Passport to buy a SIM card or burner phone. If you are in one of these countries, it is suggested to use cash only and let the phone sit for 2+ months before you activate it with a sock puppet email. Sometimes SIM cards can also be purchased on Amazon.com. Keep an eye out for deals and trial offers. Phone emulators can also work.
Generate a Voice over IP (VoIP) account with an online vendor. This will be useful to add another layer of separation. Many of the online services like Google Voice require you to have a real phone number to tie to your account. This makes your burner phone that much more important.
In some cases, you may need to use a credit/debit card for purchases, account setups, and account verifications. If you are in a country or area that allows you to purchase these types of cards (VISA/Mastercard), use good OPSEC to minimize links back. You can also use a privacy.com masked credit card.
If your investigation requires cryptocurrencies for transactions, you can use prepaid cards on most of the crypto services. Exodus.com is a wallet that allows you to trade many different currencies and their Desktop software is cross platform compatible. An example of needing crypto currencies during an investigation may include fraud cases on sites like Facebook Marketplace, Instagram’s Shop Now, Craigslist, etc. You may also find them useful when purchasing content and buying services.
When creating a social media account, you want to look as ‘normal’ as possible to the website because many of them are trying to stop people from creating fake accounts. Make sure you are not breaking the law or violating terms of service when doing this. Now things to look at when creating your OSINT undercover accounts:
Note: You may burn UC personals when creating accounts. Just be patient and persistent. This process takes time and effort.
Like a fine wine or good whiskey, the account needs to be "aged". This means creating content and history. This will minimize the likelihood of the account getting flagged as a fake by the service provider and deleted. Become the persona. Go to the same public WiFi you created the account with to log in and generate activity. Like posts, make comments, share things, and grow your connections. Log out when you are done. This is very important and ties into OPSEC. Not logging out can leak other networks and information out for Big Data if you are not careful. The goal is that you are training the site that you are a real person by doing real person things. Try to add content and history following the personality of the fake character. This includes finding banners with image searches. Think of banners for your social media pages, memes, pictures from the location your persona is from. Build your account pages how you believe your sock puppet would have. Add enough information to make it look real. Over time, keep logging into the account and add content to build history and the trustworthiness that the account is a "real" person.
'Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.' - Wikipedia
Things always change and you must keep improving to keep up. Make it a habit of using good OPSEC. There is a saying with investigators. The suspect needs to be lucky every single time, but you only need to be lucky once. The other side can use the same Tactics, Techniques, and Procedures (TTPs) as you do and that flips the table on you. Now, you need to be lucky every single time and they only need to be lucky once.
Image credit: telekom.com