Creating an Effective Sock Puppet for OSINT Investigations – Introduction

Introduction and Philosophy

In recent light of the epic failure by Surefire Intelligence to frame Robert Mueller for sexual assault allegations, I feel it’s important to discuss and unpack how to make a good sock puppet for OSINT operations.  If you aren’t familiar, just google Jacob Wohl or Surefire Intelligence and you will likely be flooded with information about the scandal.  For further details on the unraveling of the socks Wohl made, check out Aric Toler’s threat on Twitter @arictoler from Bellingcat.

Now, without further ado, let’s get started on constructing a sock puppet for OSINT investigations.  To get started, I want to properly define what a sock puppet is and what it is not.  The internet (already a skeptic) defines a sock puppet as “an online identity used for purposes of deception”.  This clearly refers to the traditional sock puppet, with an unknown ‘master of puppets’.  I’d like to add a bit of clarity to that definition though.  Sock puppets aren’t exclusive to deception operations, they can also be used for privacy and OPSEC for an investigator, journalist, penetration tester, etc.  OPSEC online not only protects the investigator, but it also protects the target in the case that the evidence provided leads nowhere.  So, how do you make a sock puppet that won’t embarrass you like Jacob Wohl and Surefire Intelligence?

The first thing you have to do is clearly define your intent.  You can choose to create a fake persona or you can create an avatar that’s clearly fake with the masked excuse of OPSEC as it’s origin.  Let me elaborate.  Let’s say you choose option 1.  You want to create a sock puppet named “Eugene Shoemaker”.  Eugene Shoemaker doesn’t exist.  So you have to create an entire identity around Gene in order for the account to look authentic. This takes a very long time, is very difficult, and has a higher chance of failure.  Additionally, if this sock is discovered, all of your work has to be deleted and you have to start all over again.  If you can pull this off, this is the most effective way to operate.  But not everyone is patient.  That’s why there’s option 2.

Option 2 is creating an avatar that’s focused around an idea rather than a unique identity.  Examples of this include @ShakiraSecurity on Twitter or @DutchOSINTGuy.  Everyone knows Shakira isn’t involved in the infosec community.  They also know that that account isn’t Shakira.  But that account is still a trusted source on Twitter when it comes to OSINT and infosec conversations.  That account have over 500 followers.  That account has a function and has built trust.  That account was easier to create than a blank slate.

For both options it’s recommended to create content, add media (photos, videos), interact with others online in an authentic way, create multiple social profiles, convince others to vouch for you, have a phone number, unique IP, email address, etc. But more on that later.

But enough on theory and philosophy.  Both options are viable and, once again, it depends on your intent and the scope of your project.  If you have a large scale operation, you may create a community of sock puppets that interact with others and each other to create influence that has leverage.  Let’s get into the details on how to set this up.

The Setup

Depending on who you ask, there’s an endless list of things you can do to remain anonymous while conducting investigations online.  You can go extreme and jump down the Michael Bazzell rabbit hole, or you can have a little less attention to detail and still do fine. If you’re interested in an almost full proof system, check his book Hiding from the Internet. If you’re asking me how to create a successful sock puppet, I’m more of a subscriber of the Pareto Principle; but I also don’t have much to lose if caught during an investigation like others may have (back to intent).  Here’s the 80/20 on what you need to get started.

  1. A dedicated computer that is only used for investigations
  2. Encrypted Email – Use Proton Mail
  3. A burner phone number (expensive) or a wifi phone number (cheap or free)
  4. A social media profile where your target is most active (choose option 1 or 2)
  5. A couple different virtual machines
  6. A blog or website (you can use a free blog like WordPress, Blogger, or Medium)
  7. A VPN (you should probably have one anyway)

Now, this is just a start, but it will help you at least get started.  You will have to customize your avatar as you go along to maintain or add credibility.

Dedicated Computer

Having a dedicated computer is an absolute must.  You don’t want anything you are doing under your avatar to somehow be linked to your personal, real account.  Not only will this reveal that your sock puppet is indeed a sock puppet, it may link your real identity to it (see Surefire Intelligence fail).  This computer doesn’t have to be expensive, you could use something as simple as a Raspberry Pi or a cheap laptop.  Using other tools I’ll discuss below, your dedicated computer should not be able to be linked to another computer on your network.

Encrypted Email

This is generally a best practice in the OSINT and infosec community.  While it may be enticing to use Gmail due to the vast number of free tools they provide and their seamless integration, but don’t do it.  Google is tracking you.  Even if you provide false information, they will still know it’s you eventually.  Proton Mail is a name brand in the encrypted email industry.  There are other options but I’d go with Proton Mail if you haven’t experimented with them before.  The user interface is easy to understand and it doesn’t require any advanced setup.

Phone Number

If you can, try to get a very cheap phone plan that’s dedicated to you avatar.  Cheap plans such as Mint will get you the very basics for close to single digits a month.  If you don’t want to spare the cash, consider getting a wifi based phone number from a website that doesn’t recycle phone numbers every month.  Google Voice is a good option.  Keep in mind that a lot of these websites request your primary phone number (Google) when signing up.  If you’re very concerned about privacy, find one that doesn’t.

VPN

It’s important to mask your IP when doing OSINT research online.  The best way to do this is to use a VPN.  The number one VPN changes frequently so depending on when you read this, it could be different.  I’ve used ProtonVPN, Windscribe, NordVPN, and Private Internet Access.  Pick one that values your privacy and has a user interface that’s easy for you.  Make sure you get a VPN that constantly changes your IP so that you don’t establish a pattern during logons or during interaction.

Social Media Profiles

Now that you have a dedicated computer, encrypted email, phone number, and VPN, we can get to the fun part.  You can use all of your information (email, phone number) to create your social media profiles of choice.  Since you’re starting from scratch, it’s important you start interacting in an organic way.  This could include following people, posting links, doing status updates, interacting with people in the same niche as your target, etc.  This process will take a long time if you do it right.  If you’re really skilled, your target will come to you.  I recommend creating multiple avatars with multiple emails and phone numbers to decrease your risk and to deploy them in different ways.  More on this later.

Virtual Machines

Virtual machines are a great way to create an additional layer of privacy.  You can also use them for specific tools in your OSINT investigation.  I recommend starting with Buscador as it offers a wide variety of OSINT tools.  You can also experiment with Windows VMs to access tools like FOCA and other Windows specific tools.  Experiment with Android emulators to take advantage of mobile apps.  Nox is an excellent emulator to get you started.

Blog 

If you want to go another layer deep on your avatar, create a free blog on WordPress, Medium, or Blogger and link it to your social media profile.  Generate content both on social and your blog to increase credibility.  After a period of development, you will have a complex character that’s believable and valuable.

Chrome Extensions

Part of remaining anonymous on the web is blocking all forms of tracking.  The two extensions I’d recommend of the top of my head are AdBlock and Disconnect Me.  These will stop ads from tracking you as well as all pull requests from social media sites.  Combined with a VPN, you should have what you need to search safely.

Bonus

Once you’ve developed all of the above, you may want to verify yourself on Keybase and get involved in other opportunities such as Slack channels or Rocket Chats  This will grant you an opportunity to open a dialogue with your target or associates in an environment separate from social media.

Things to Consider

It’s important to remember that you should be very careful before deploying your sock puppet.  If you use it too soon, you’ll lose credibility with your target or associates and you may not recover.  I recommend setting goals such as a certain number of Tweets, followers, blog posts, or months, etc. before creating plan to use it.  With that being said, the intent of your sock puppet should be dictated by the influence it creates organically.  Don’t steer your sock puppet in an unnatural direction.  Let it grow organically and deploy it in the direction it develops on it’s own.  That’s why it’s important to have multiple accounts.

Another thing to consider is forensic linguistics.  Try to make the content you create on your sock puppet account as unique as possible (or at least different from your personal account). That being said, so long as you’re not doing anything incredibly controversial, people won’t question your motives and investigate your identity anyway. Constantly collect OSINT on your sock puppet and reverse engineer your own creation.  Have a friend or colleague take a look at it and see if they can find a way in.  Do all of this before deploying the sock.

Some mistakes Wohl made was using stock images that were easily traceable through image search, not using Whois protection during domain registration, using his socks too soon, and not collecting OSINT/investigating himself before deployment. Read Aric Toler’s write up on this for lessons learned.

Further Research

This post is closing in on 2000 words, which is quite concerning to me.  The OSINT community is already saturated with long form content that’s difficult to digest.  Keeping that in mind, I’d like to conduct an experiment of my own with this process and share the results in another medium.  I’ve been talking on Twitter about how I want to write an OSINT related book.  I think this is it.  I’ll be keeping everyone updated on the progress of this as I set up my sock puppet ecosystem, document, and write the results. Use this post as an introduction to the process and a precursor to the book.

 

 

 

2 thoughts on “Creating an Effective Sock Puppet for OSINT Investigations – Introduction

  1. On the VMs – to increase distance from the “real you” – change screen resolution and fonts to prevent fingerprinting ( etc )
    Turn webrtc off.
    Also – unbalance your keyboard legs or spin the keyboard and type at a weird angle. (Maybe switch to a dvorak for the puppets??)
    Maybe extreme, but helps throw a wrench in “keystroke dynamics” .
    The puppet will always be hunt and peck and “real you” will always type as real you normally does.

    If you have a predictive typing app/plugin ( ala mobile kybds ) – train the keyboard app to suggest phrases that the real you never uses. That is – prime the predictive typing with alter-ego’s linguistic preferences.
    -Coinsigliere

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s