The Art of the Sock
The Art Of The Sock
Source: secjuice.com/the-art-of-the-sock-osint-humint
(Archived here for easy access. If you see this and want me to remove it, just let me know.)
Sock puppets are where the OSINT rubber meets the HUMINT road, but you need to be good at using them to survive in the infosec jungle.
Guise Bule
Aug 12, 2018 • 9 min read
Social media is infested with sock puppets, influencing what we think in a million different conversations across different social platforms. Some are employed by nation states and used to influence politically, others by private corporations attempting to influence the conversation around their brands. Some are more much more sinister, set up to deceive and defraud. Then you have people like me, OSINT investigators who like to put on a nice clean pair of socks before they go to work and engage their targets.
Wait, That’s Not OSINT Though Is It?
What’s that investigator? You thought that you would be purely gathering intelligence from publicly available information? Oh my sweet summer child.
I am sorry to tell you that that OSINT and HUMINT go hand in hand these days, because OSINT can only ever get you so far. HUMINT is a natural extension to your OSINT work, especially when you are investigating fraudsters, there are only so many public facing signals they give out. If you really want to get a feel for your targets, you have to get your hands dirty, touch your target and social engineer your heart out.
To be an effective investigator you need to master the art of the sock and learn how to engage your targets on social media while wearing socks.
What Is A Sock Puppet?
My favorite definition of the term ‘sock puppet’ comes from the Oxford English dictionary “a person whose actions are controlled by another; a minion”, I just like the word minion though. A more accurate definition from an OSINT perspective would be “a social persona worn when engaging the targets of your investigation”.
A fully fleshed out sock puppet is a social persona that has a credible social history across different social media channels. In my case, I had need of a fully fleshed out sock puppet for an OSINT investigation into the operators of an ICO, for and on behalf of the investors in that ICO. You already know that the ICO was scammy and I am far too discreet to discuss the details, but its worth using as an example of how to properly nurture your sock from its birth to its eventual death.
Think Long Term
The Art Of The Sock is a long term game, if only because there is nothing that screams sock like a freshly coined social media account. This means that you have to think long term when it comes to growing a fully fleshed out sock account, you have to start growing and nurturing them a long time before you will actually need them. Of course you need more than one, they are disposable and you should only ever use a sock once, then throw it away as if it were a cum stained wank rag (my apologies).
By credible social history I mean that your sock has to behave in a consistently credible way over a period of time, the longer the better. The more social history your sock has, the more convincing it will be when you come to use that sock. By social history I mean a convincing breadcrumb trail of consistent activity, one that looks like the activity of a real person on social media. Your socks do not have to be the most prolific posters, but they should engage in regular, publicly visible, activity across different social media platforms.
Whatever you do, do not interact with any of your other accounts, contacts or peers. Your socks should be standalone entities in their own right.
When I say a credible history across platforms, I mean that they should have a Linkedin profile with a credible looking work history, a Facebook profile with some pictures of your sock having fun in different places, or sharing whatever they are into with their friends. It should have an active Twitter profile that engages with its community in a genuine and consistent way.
You noobs with your two month old twitter accounts aren’t fooling anyone, its the sock masters with the properly grown and nurtured personas who are smashing up the sock world out there. When those guys turn their fully fleshed out socks onto a target, they are both credible and convincing. Sock masters never automate anything, they give an authentic touch to every publicly visible action and you just cannot beat it.
Within dark rooms in foreign corners of the world, ‘sock master’ is actually a real job description and people devote their working days to growing and nurturing sock accounts to hand off to others for use in information warfare campaigns. To call them all sock masters though would be a lie, most of them are sock herders at best and if you watch closely, you can see the handovers in the socks behavior.
TL;DR Start growing your socks now in case you need them one day.
Men Are Stupid
When it comes to socking them out of the ballpark, its better to be a woman than a man because men are stupid. Unless they are savvy, the vast majority of men are hugely vulnerable to a direct approach from a pretty girl. Its absolutely fucking ridiculous in fact and it made me never want to trust women online unless you first validate their existance via a webcam session. Social metadata validation cannot be trusted and even when you video validate they could have hired a prostitute to play the part.
And what do you do? You share far too much information with that cute girl, goddamnit what the hell is wrong with you people? Blabbing about your business to random girls on the internet, you deserve to be uncovered as fraudsters. Same applies to you idiots trying to recruit, you may want to consider not sharing the working details of your operation with that hot blonde flirts with you and seems money hungry.
I am sorry to tell you this dear reader, but that cute girl you are talking to on Twitter, the who connected to you on Linkedin and who shared their private Facebook profile with you is definitely a dude. He is more than likely trying to social engineer some information out of you, or influence you for some nefarious purpose.
Blackmail if you are really unlucky.
TL;DR NEVER trust cute girls online if you are a man.
Softly Softly Catchee Monkey
“Deception doesn’t work if your target doesn’t have a reason to believe you’re real, so having a personality is important.” @S4BOT4GE.
I talked to veteran sock masters when researching this subject and those focused on OSINT like to take the softly softly, catchee monkey approach to engaging their targets and the key to this is personality and a grain of uniqueness.
@S4BOT4GE told me that the deception does not work unless your target has a reason to believe that you are real and that having a unique personality is important for this reason. He thinks the key is to emulate a unique character, rather than imitate an existing one and that a grain of uniqueness can make it real enough to believe.
He uses a remote browser service to conduct online research. If the endpoint is the new perimeter, then remote browser isolation is the future of endpoint security.
This is full on social role playing he is talking about, immersing yourself in the character and becoming unique enough for your targets to notice you before you notice them. The trick to being noticed by your target according to S4BOT4GE is fairly straightforward on most social media platforms.
Start following and interacting with accounts that are in close proximity to your accounts targets and a couple times a day, check each of their accounts for anything they posted that hasn’t been widely shared yet, and repost it immediately. Rinse and repeat to allow the social media algorithms to do their work and they will eventually show your activity to your targets.
If your activity has an authentic voice, they will notice you first and that is everything when it comes to initiating contact with a target. If a target is to really trust you, they need to initiate first contact. A smart man would never trust a direct approach from a pretty girl, but if he sees her around town every now and again, he may very well decide to approach her and say hello, it’s very common.
TL;DR Take your time, let your target come to you.
Welcome To The Jungle
I spoke to retired sock master @an3rka0s who is a verteran of information warfare operations that mitigated against foreign adversaries. He told me that the chances are that the socks are already all around you, you’re probably already connected to them and they just haven’t decided to target you directly yet. Admittedly that’s a paranoid outlook, but he is right depending on the social spaces you inhabit.
@an3rka0s tells me that battle hardened operators who have been immersed in the sock jungle for long enough begin to recognize adversarial sock operators through their personas, using their intuition and instinct they can smell other socks.
If you happen to be investigating the crypto world, chances are that your targets are already operating their own socks. One of the first skills that a sock operator learns in the jungle if they want to survive is to recognize when your own followers are socks driven by your adversaries trying to scope you out or keep you in their radar. This is the reason why its essential that your fresh socks are completely unconnected to all of your other socks in every way, they need to be believable seperate entities in order to credibly survive in the jungle. It is an artform in itself.
TL;DR A savvy sock operator can spot other sock operators and unless you are careful with your connections and behavior, they will spot you easily.
Beware The Sock Hunters
Rather than explain how to avoid being caught using a sock, it’s probably best to explain how we catch sock operators doing what they do. In general, sock puppets can usually be identified based on their writing style, posting activity and relationship with other users on the same, or other social networks.
Happily, the OSINT community provides us with some fantastic toolsets for running investigations into social accounts and their public activity. If sock hunting is your thing, you can analyze a social accounts behavior and activity in lots of ways.
The easiest way to find sock accounts in a conversation is to check their login times and login IP adresses, very often sock operators will have sloppy OPSEC practices and/or not bother concealing their IP. They will also login and post at roughly the same time, sometimes delaying their posts in order not to be obvious.
Over time identifiable patterns emerge though.
Sometimes this method of detecting socks is not always workable, a sophisticated sock operator will know to avoid creating patterns in their logon times and posting times, they will also know how to conceal their IP address when logging on and posting. When it comes to the more sophisticated sock operators, you have to step up your detection methods in order to catch them and begin to develop machine learning algorithms that detect similarities in behavior across multiple social accounts.
A recent study found that “sock puppets contribute poorer quality content, write shorter posts that are often downvoted or reported by other users. They post on more controversial topics, spend more time replying to other users and are more abusive.
Worryingly, their posts are also more likely to be read and they are often central to their communities, generating a lot of activity”. This gives you a baseline pattern to hunt for and base your machine learning algorithms on. Researchers are out there right now, leveraging this detection model in order to detect and identify socks.
Machine learning tools have been created which can detect if two accounts are owned by the same person with 91% accuracy. There are other tools that can distinguish between a real social account and a sock with 68% accuracy.
Tools like these are spotting patterns across thousands of social accounts and identifying their owners with ever increasing accuracy, they find patterns in your behavior and develop a behavioral fingerprint that you subconsciously leave on your actions. Even though you may try to randomize your behavioral patterns, style of writing, manner of expression, login times, IP address and other ways to conceal yourself, you cannot hide if the algorithms are given enough historical data on your activities to analyze. We all have our own unique behavioral fingerprint.
These tools are being developed in an effort to counter information warfare efforts across social media operations conducted against us by foreign adversaries intent on influencing the conversation in our society. They are also being developed by the private sector and the social media platforms themselves in an effort to disrupt trolls, persistent abusers, and operations designed to spread fake news into our feeds.
Its getting much easier to spot and identify even the most experienced sock operators, especially when they are engaged in shady online behavior. But a skilled OSINT investigator who maintains his or her own sock accounts for investigative purposes, and who takes care, is likely to fly under their radar completely.
Stay under the radar, behave like a normal person, engage in authentic activity and keep your socks dry until you need them. Nobody likes wet socks.