Business Security

How wearing a ‘sock puppet’ can aid the collection of open source intelligence while insulating the ‘puppeteer’ from risks

A peek behind the curtain: How are sock puppet accounts used in OSINT?

In the untold expanse of online information and communication, the ability to find the signal in the noise and discern the authenticity of data and its sources becomes increasingly critical.

We’ve previously looked at the mechanics of open source intelligence (OSINT), the practice of collecting and analyzing publicly available information for investigative purposes, and especially how cyber-defenders can use it to stay a step ahead of attackers.

In this article, we’ll focus on a tool commonly used in OSINT: so-called sock puppet accounts, how they are created and used, along with the risks that their use may entail.

What are sock puppets?

Put simply, sock puppet accounts are fictitious identities that provide their masters with anonymity while using social media platforms, discussion boards, email and other online services. They can be harnessed for OSINT investigations in order to assess emerging cyberthreats, gather information on online fraud, abuse and other illicit activities and collect evidence of such wrongdoing, track extremist ideologies or gain other insights into specific trends or issues.

The information collected by these research accounts often goes deeper than the readily disclosed information and may require establishing relationships with other people. The entities that leverage these accounts run the gamut and range from law enforcement, private investigators and journalists to intelligence analysts, network defenders and other security practitioners, including for efforts aimed at detecting and mitigating potential threats.

On the other hand, these fake personas can also be deployed to do the bidding of malicious actors, who may use sock puppets to help spread spam or extract information from or otherwise manipulate their targets. These accounts are also often used in disinformation efforts to help steer discussions in a particular direction, amplify false narratives, shape public discourse and ultimately sway opinions about a broader societal issue or an organization.

Sock puppets in OSINT

Sock puppet accounts enable OSINT practitioners to blend into online communities and gather information without revealing their true identity and without fear of reprisal, especially where their personal safety could be jeopardized. They can provide their “puppeteers” with access to closed or private groups that would otherwise be inaccessible to external observers.

Creating sock puppets requires a fair amount of strategic planning that considers variables such as the choice of platforms that are home to the greatest amount of information on targets all the way to thinking through and then practicing proper operational security measures.

In order to avoid disclosing their owner’s true IP address and for other operational security reasons, these accounts are often used in tandem with tools such as virtual private networks (VPNs), Tor (especially when accessing the dark web) and proxy services or, where their use is not permitted, a public Wi-Fi connection.

When setting up and managing sock puppet accounts, a burner mobile phone may also be necessary. The same goes for dedicated password management tools like KeePass and handy tools such as Firefox Multi Account containers that separates each of the investigator’s digital lives.

Obviously not all sock puppets are made alike. Leaving aside temporary ad-hoc accounts, which are discarded once their job (such as registering on a website or sending an email) is completed, perhaps the most common and interesting use case is social media accounts, and those require a lot more effort.

This starts with the creation of an email account that cannot be traced back to its owner and then a realistic identity with detailed (though, of course, fictitious) personal information. It’s just as important to craft a credible backstory and use a consistent voice and tone that is further supported by sustained activity over time in the form of comments, posts and photos. A plan that lays out the account’s activities – such as identifying and visiting other accounts, posting comments, and maintaining a realistic persona overall – helps avoid setting off alarm bells.

Identifying potential sock puppets

Sock puppet accounts can be spotted by:

  • behavioral pattern analysis: sock puppets may follow similar behavioral patterns, such as reposting the same messages or using repetitive language, or displaying a lack of interactions with real users or little to no engagement as such.
  • examining profile details: for example, a lack of detailed personal information and the use of stock images are clear giveaways.
  • cross-checking and verification: comparing information provided by sock puppets with other sources, which helps validate collected data.

Sock puppets in action

Sock puppets play a pivotal role in OSINT, providing its practitioners with a powerful tool for gathering information while maintaining their anonymity. However, understanding the associated threats and potential pitfalls is also essential for conducting effective and ethical investigations. For starters, investigators need to avoid the risk of discovery and be well versed in identifying sock puppet accounts that may be used for counterintelligence purposes.

Importantly, the use of sock puppet accounts also involves ethical considerations and possible legal risks or restrictions, and it needs to align with the intended goals and avoid causing unintended harm. The ‘puppeteers’ should also carefully weigh the benefits and drawbacks of these personas and ensure that their use aligns with ethical standards, legal requirements, and the overall objectives of responsible information gathering.