Jake Creps - Sock Puppet
Creating an Effective Sock Puppet for OSINT Investigations
Note: extracted from wayback machine to have as another archive.
Jake Creps Guides November 2, 2018 November 3, 2018 7 Minutes
Introduction and Philosophy
In recent light of the epic failure by Surefire Intelligence to frame Robert Mueller for sexual assault allegations, I feel it’s important to discuss and unpack how to make a good sock puppet for OSINT operations. If you aren’t familiar, just google Jacob Wohl or Surefire Intelligence and you will likely be flooded with information about the scandal. For further details on the unraveling of the socks Wohl made, check out Aric Toler’s threat on Twitter @arictoler from Bellingcat.
Now, without further ado, let’s get started on constructing a sock puppet for OSINT investigations. To get started, I want to properly define what a sock puppet is and what it is not. The internet (already a skeptic) defines a sock puppet as “an online identity used for purposes of deception”. This clearly refers to the traditional sock puppet, with an unknown ‘master of puppets’. I’d like to add a bit of clarity to that definition though. Sock puppets aren’t exclusive to deception operations, they can also be used for privacy and OPSEC for an investigator, journalist, penetration tester, etc. OPSEC online not only protects the investigator, but it also protects the target in the case that the evidence provided leads nowhere. So, how do you make a sock puppet that won’t embarrass you like Jacob Wohl and Surefire Intelligence?
The first thing you have to do is clearly define your intent. You can choose to create a fake persona or you can create an avatar that’s clearly fake with the masked excuse of OPSEC as it’s origin. Let me elaborate. Let’s say you choose option 1. You want to create a sock puppet named “Eugene Shoemaker”. Eugene Shoemaker doesn’t exist. So you have to create an entire identity around Gene in order for the account to look authentic. This takes a very long time, is very difficult, and has a higher chance of failure. Additionally, if this sock is discovered, all of your work has to be deleted and you have to start all over again. If you can pull this off, this is the most effective way to operate. But not everyone is patient. That’s why there’s option 2.
Option 2 is creating an avatar that’s focused around an idea rather than a unique identity. Examples of this include @ShakiraSecurity on Twitter or @DutchOSINTGuy. Everyone knows Shakira isn’t involved in the infosec community. They also know that that account isn’t Shakira. But that account is still a trusted source on Twitter when it comes to OSINT and infosec conversations. That account have over 500 followers. That account has a function and has built trust. That account was easier to create than a blank slate.
For both options it’s recommended to create content, add media (photos, videos), interact with others online in an authentic way, create multiple social profiles, convince others to vouch for you, have a phone number, unique IP, email address, etc. But more on that later.
But enough on theory and philosophy. Both options are viable and, once again, it depends on your intent and the scope of your project. If you have a large scale operation, you may create a community of sock puppets that interact with others and each other to create influence that has leverage. Let’s get into the details on how to set this up.
The Setup
Depending on who you ask, there’s an endless list of things you can do to remain anonymous while conducting investigations online. You can go extreme and jump down the Michael Bazzell rabbit hole, or you can have a little less attention to detail and still do fine. If you’re interested in an almost full proof system, check his book Hiding from the Internet. If you’re asking me how to create a successful sock puppet, I’m more of a subscriber of the Pareto Principle; but I also don’t have much to lose if caught during an investigation like others may have (back to intent). Here’s the 80/20 on what you need to get started.
- A dedicated computer that is only used for investigations
- Encrypted Email – Use Proton Mail
- A burner phone number (expensive) or a wifi phone number (cheap or free)
- A social media profile where your target is most active (choose option 1 or 2)
- A couple different virtual machines
- A blog or website (you can use a free blog like WordPress, Blogger, or Medium)
- A VPN (you should probably have one anyway)
Now, this is just a start, but it will help you at least get started. You will have to customize your avatar as you go along to maintain or add credibility.
Dedicated Computer
Having a dedicated computer is an absolute must. You don’t want anything you are doing under your avatar to somehow be linked to your personal, real account. Not only will this reveal that your sock puppet is indeed a sock puppet, it may link your real identity to it (see Surefire Intelligence fail). This computer doesn’t have to be expensive, you could use something as simple as a Raspberry Pi or a cheap laptop. Using other tools I’ll discuss below, your dedicated computer should not be able to be linked to another computer on your network.
Encrypted Email
This is generally a best practice in the OSINT and infosec community. While it may be enticing to use Gmail due to the vast number of free tools they provide and their seamless integration, but don’t do it. Google is tracking you. Even if you provide false information, they will still know it’s you eventually. Proton Mail is a name brand in the encrypted email industry. There are other options but I’d go with Proton Mail if you haven’t experimented with them before. The user interface is easy to understand and it doesn’t require any advanced setup.
Phone Number
If you can, try to get a very cheap phone plan that’s dedicated to you avatar. Cheap plans such as Mint will get you the very basics for close to single digits a month. If you don’t want to spare the cash, consider getting a wifi based phone number from a website that doesn’t recycle phone numbers every month. Google Voice is a good option. Keep in mind that a lot of these websites request your primary phone number (Google) when signing up. If you’re very concerned about privacy, find one that doesn’t.
VPN
It’s important to mask your IP when doing OSINT research online. The best way to do this is to use a VPN. The number one VPN changes frequently so depending on when you read this, it could be different. I’ve used ProtonVPN, Windscribe, NordVPN, and Private Internet Access. Pick one that values your privacy and has a user interface that’s easy for you. Make sure you get a VPN that constantly changes your IP so that you don’t establish a pattern during logons or during interaction.
Now that you have a dedicated computer, encrypted email, phone number, and VPN, we can get to the fun part. You can use all of your information (email, phone number) to create your social media profiles of choice. Since you’re starting from scratch, it’s important you start interacting in an organic way. This could include following people, posting links, doing status updates, interacting with people in the same niche as your target, etc. This process will take a long time if you do it right. If you’re really skilled, your target will come to you. I recommend creating multiple avatars with multiple emails and phone numbers to decrease your risk and to deploy them in different ways. More on this later.
Virtual Machines
Virtual machines are a great way to create an additional layer of privacy. You can also use them for specific tools in your OSINT investigation. I recommend starting with Buscador as it offers a wide variety of OSINT tools. You can also experiment with Windows VMs to access tools like FOCA and other Windows specific tools. Experiment with Android emulators to take advantage of mobile apps. Nox is an excellent emulator to get you started.
Blog
If you want to go another layer deep on your avatar, create a free blog on WordPress, Medium, or Blogger and link it to your social media profile. Generate content both on social and your blog to increase credibility. After a period of development, you will have a complex character that’s believable and valuable.
Chrome Extensions
Part of remaining anonymous on the web is blocking all forms of tracking. The two extensions I’d recommend of the top of my head are AdBlock and Disconnect Me. These will stop ads from tracking you as well as all pull requests from social media sites. Combined with a VPN, you should have what you need to search safely.
Bonus
Once you’ve developed all of the above, you may want to verify yourself on Keybase and get involved in other opportunities such as Slack channels or Rocket Chats This will grant you an opportunity to open a dialogue with your target or associates in an environment separate from social media.
Things to Consider
It’s important to remember that you should be very careful before deploying your sock puppet. If you use it too soon, you’ll lose credibility with your target or associates and you may not recover. I recommend setting goals such as a certain number of Tweets, followers, blog posts, or months, etc. before creating plan to use it. With that being said, the intent of your sock puppet should be dictated by the influence it creates organically. Don’t steer your sock puppet in an unnatural direction. Let it grow organically and deploy it in the direction it develops on it’s own. That’s why it’s important to have multiple accounts.
Another thing to consider is forensic linguistics. Try to make the content you create on your sock puppet account as unique as possible (or at least different from your personal account). That being said, so long as you’re not doing anything incredibly controversial, people won’t question your motives and investigate your identity anyway. Constantly collect OSINT on your sock puppet and reverse engineer your own creation. Have a friend or colleague take a look at it and see if they can find a way in. Do all of this before deploying the sock.
Some mistakes Wohl made was using stock images that were easily traceable through image search, not using Whois protection during domain registration, using his socks too soon, and not collecting OSINT/investigating himself before deployment. Read Aric Toler’s write up on this for lessons learned.
Further Research
This post is closing in on 2000 words, which is quite concerning to me. The OSINT community is already saturated with long form content that’s difficult to digest. Keeping that in mind, I’d like to conduct an experiment of my own with this process and share the results in another medium. I’ve been talking on Twitter about how I want to write an OSINT related book. I think this is it. I’ll be keeping everyone updated on the progress of this as I set up my sock puppet ecosystem, document, and write the results. Use this post as an introduction to the process and a precursor to the book.
Comments:
On the VMs – to increase distance from the “real you” – change screen resolution and fonts to prevent fingerprinting (etc). Turn webrtc off. Also – unbalance your keyboard legs or spin the keyboard and type at a weird angle. (Maybe switch to a dvorak for the puppets??) Maybe extreme, but helps throw a wrench in “keystroke dynamics”. The puppet will always be hunt and peck and “real you” will always type as real you normally does. If you have a predictive typing app/plugin ( ala mobile kybds ) – train the keyboard app to suggest phrases that the real you never uses. That is – prime the predictive typing with alter-ego’s linguistic preferences.
The Art of the Sock
The Art Of The Sock
Source: secjuice.com/the-art-of-the-sock-osint-humint
(Archived here for easy access. If you see this and want me to remove it, just let me know.)
Sock puppets are where the OSINT rubber meets the HUMINT road, but you need to be good at using them to survive in the infosec jungle.
Guise Bule
Aug 12, 2018 • 9 min read
Social media is infested with sock puppets, influencing what we think in a million different conversations across different social platforms. Some are employed by nation states and used to influence politically, others by private corporations attempting to influence the conversation around their brands. Some are more much more sinister, set up to deceive and defraud. Then you have people like me, OSINT investigators who like to put on a nice clean pair of socks before they go to work and engage their targets.
Wait, That’s Not OSINT Though Is It?
What’s that investigator? You thought that you would be purely gathering intelligence from publicly available information? Oh my sweet summer child.
I am sorry to tell you that that OSINT and HUMINT go hand in hand these days, because OSINT can only ever get you so far. HUMINT is a natural extension to your OSINT work, especially when you are investigating fraudsters, there are only so many public facing signals they give out. If you really want to get a feel for your targets, you have to get your hands dirty, touch your target and social engineer your heart out.
To be an effective investigator you need to master the art of the sock and learn how to engage your targets on social media while wearing socks.
What Is A Sock Puppet?
My favorite definition of the term ‘sock puppet’ comes from the Oxford English dictionary “a person whose actions are controlled by another; a minion”, I just like the word minion though. A more accurate definition from an OSINT perspective would be “a social persona worn when engaging the targets of your investigation”.
A fully fleshed out sock puppet is a social persona that has a credible social history across different social media channels. In my case, I had need of a fully fleshed out sock puppet for an OSINT investigation into the operators of an ICO, for and on behalf of the investors in that ICO. You already know that the ICO was scammy and I am far too discreet to discuss the details, but its worth using as an example of how to properly nurture your sock from its birth to its eventual death.
Think Long Term
The Art Of The Sock is a long term game, if only because there is nothing that screams sock like a freshly coined social media account. This means that you have to think long term when it comes to growing a fully fleshed out sock account, you have to start growing and nurturing them a long time before you will actually need them. Of course you need more than one, they are disposable and you should only ever use a sock once, then throw it away as if it were a cum stained wank rag (my apologies).
By credible social history I mean that your sock has to behave in a consistently credible way over a period of time, the longer the better. The more social history your sock has, the more convincing it will be when you come to use that sock. By social history I mean a convincing breadcrumb trail of consistent activity, one that looks like the activity of a real person on social media. Your socks do not have to be the most prolific posters, but they should engage in regular, publicly visible, activity across different social media platforms.
Whatever you do, do not interact with any of your other accounts, contacts or peers. Your socks should be standalone entities in their own right.
When I say a credible history across platforms, I mean that they should have a Linkedin profile with a credible looking work history, a Facebook profile with some pictures of your sock having fun in different places, or sharing whatever they are into with their friends. It should have an active Twitter profile that engages with its community in a genuine and consistent way.
You noobs with your two month old twitter accounts aren’t fooling anyone, its the sock masters with the properly grown and nurtured personas who are smashing up the sock world out there. When those guys turn their fully fleshed out socks onto a target, they are both credible and convincing. Sock masters never automate anything, they give an authentic touch to every publicly visible action and you just cannot beat it.
Within dark rooms in foreign corners of the world, ‘sock master’ is actually a real job description and people devote their working days to growing and nurturing sock accounts to hand off to others for use in information warfare campaigns. To call them all sock masters though would be a lie, most of them are sock herders at best and if you watch closely, you can see the handovers in the socks behavior.
TL;DR Start growing your socks now in case you need them one day.
Men Are Stupid
When it comes to socking them out of the ballpark, its better to be a woman than a man because men are stupid. Unless they are savvy, the vast majority of men are hugely vulnerable to a direct approach from a pretty girl. Its absolutely fucking ridiculous in fact and it made me never want to trust women online unless you first validate their existance via a webcam session. Social metadata validation cannot be trusted and even when you video validate they could have hired a prostitute to play the part.
And what do you do? You share far too much information with that cute girl, goddamnit what the hell is wrong with you people? Blabbing about your business to random girls on the internet, you deserve to be uncovered as fraudsters. Same applies to you idiots trying to recruit, you may want to consider not sharing the working details of your operation with that hot blonde flirts with you and seems money hungry.
I am sorry to tell you this dear reader, but that cute girl you are talking to on Twitter, the who connected to you on Linkedin and who shared their private Facebook profile with you is definitely a dude. He is more than likely trying to social engineer some information out of you, or influence you for some nefarious purpose.
Blackmail if you are really unlucky.
TL;DR NEVER trust cute girls online if you are a man.
Softly Softly Catchee Monkey
“Deception doesn’t work if your target doesn’t have a reason to believe you’re real, so having a personality is important.” @S4BOT4GE.
I talked to veteran sock masters when researching this subject and those focused on OSINT like to take the softly softly, catchee monkey approach to engaging their targets and the key to this is personality and a grain of uniqueness.
@S4BOT4GE told me that the deception does not work unless your target has a reason to believe that you are real and that having a unique personality is important for this reason. He thinks the key is to emulate a unique character, rather than imitate an existing one and that a grain of uniqueness can make it real enough to believe.
He uses a remote browser service to conduct online research. If the endpoint is the new perimeter, then remote browser isolation is the future of endpoint security.
This is full on social role playing he is talking about, immersing yourself in the character and becoming unique enough for your targets to notice you before you notice them. The trick to being noticed by your target according to S4BOT4GE is fairly straightforward on most social media platforms.
Start following and interacting with accounts that are in close proximity to your accounts targets and a couple times a day, check each of their accounts for anything they posted that hasn’t been widely shared yet, and repost it immediately. Rinse and repeat to allow the social media algorithms to do their work and they will eventually show your activity to your targets.
If your activity has an authentic voice, they will notice you first and that is everything when it comes to initiating contact with a target. If a target is to really trust you, they need to initiate first contact. A smart man would never trust a direct approach from a pretty girl, but if he sees her around town every now and again, he may very well decide to approach her and say hello, it’s very common.
TL;DR Take your time, let your target come to you.
Welcome To The Jungle
I spoke to retired sock master @an3rka0s who is a verteran of information warfare operations that mitigated against foreign adversaries. He told me that the chances are that the socks are already all around you, you’re probably already connected to them and they just haven’t decided to target you directly yet. Admittedly that’s a paranoid outlook, but he is right depending on the social spaces you inhabit.
@an3rka0s tells me that battle hardened operators who have been immersed in the sock jungle for long enough begin to recognize adversarial sock operators through their personas, using their intuition and instinct they can smell other socks.
If you happen to be investigating the crypto world, chances are that your targets are already operating their own socks. One of the first skills that a sock operator learns in the jungle if they want to survive is to recognize when your own followers are socks driven by your adversaries trying to scope you out or keep you in their radar. This is the reason why its essential that your fresh socks are completely unconnected to all of your other socks in every way, they need to be believable seperate entities in order to credibly survive in the jungle. It is an artform in itself.
TL;DR A savvy sock operator can spot other sock operators and unless you are careful with your connections and behavior, they will spot you easily.
Beware The Sock Hunters
Rather than explain how to avoid being caught using a sock, it’s probably best to explain how we catch sock operators doing what they do. In general, sock puppets can usually be identified based on their writing style, posting activity and relationship with other users on the same, or other social networks.
Happily, the OSINT community provides us with some fantastic toolsets for running investigations into social accounts and their public activity. If sock hunting is your thing, you can analyze a social accounts behavior and activity in lots of ways.
The easiest way to find sock accounts in a conversation is to check their login times and login IP adresses, very often sock operators will have sloppy OPSEC practices and/or not bother concealing their IP. They will also login and post at roughly the same time, sometimes delaying their posts in order not to be obvious.
Over time identifiable patterns emerge though.
Sometimes this method of detecting socks is not always workable, a sophisticated sock operator will know to avoid creating patterns in their logon times and posting times, they will also know how to conceal their IP address when logging on and posting. When it comes to the more sophisticated sock operators, you have to step up your detection methods in order to catch them and begin to develop machine learning algorithms that detect similarities in behavior across multiple social accounts.
A recent study found that “sock puppets contribute poorer quality content, write shorter posts that are often downvoted or reported by other users. They post on more controversial topics, spend more time replying to other users and are more abusive.
Worryingly, their posts are also more likely to be read and they are often central to their communities, generating a lot of activity”. This gives you a baseline pattern to hunt for and base your machine learning algorithms on. Researchers are out there right now, leveraging this detection model in order to detect and identify socks.
Machine learning tools have been created which can detect if two accounts are owned by the same person with 91% accuracy. There are other tools that can distinguish between a real social account and a sock with 68% accuracy.
Tools like these are spotting patterns across thousands of social accounts and identifying their owners with ever increasing accuracy, they find patterns in your behavior and develop a behavioral fingerprint that you subconsciously leave on your actions. Even though you may try to randomize your behavioral patterns, style of writing, manner of expression, login times, IP address and other ways to conceal yourself, you cannot hide if the algorithms are given enough historical data on your activities to analyze. We all have our own unique behavioral fingerprint.
These tools are being developed in an effort to counter information warfare efforts across social media operations conducted against us by foreign adversaries intent on influencing the conversation in our society. They are also being developed by the private sector and the social media platforms themselves in an effort to disrupt trolls, persistent abusers, and operations designed to spread fake news into our feeds.
Its getting much easier to spot and identify even the most experienced sock operators, especially when they are engaged in shady online behavior. But a skilled OSINT investigator who maintains his or her own sock accounts for investigative purposes, and who takes care, is likely to fly under their radar completely.
Stay under the radar, behave like a normal person, engage in authentic activity and keep your socks dry until you need them. Nobody likes wet socks.