Business Security
How Wearing a “Sock Puppet” Can Facilitate Open Source Intelligence Collection While Insulating the “Puppeteer” from Risk
January 11, 2024
•
,
4 minutes. read

In the incalculable expanse of online information and communication, the ability to find the signal in the noise and discern the authenticity of data and its sources is becoming increasingly critical.
We have already examined the open source intelligence mechanics (OSINT), the practice of collecting and analyzing publicly available information for investigative purposes, and especially how cyber defenders can use it to stay one step ahead of attackers.
In this article, we will focus on a commonly used tool in OSINT: so-called sock puppet accounts, how they are created and used, and the risks their use can bring.
What are sock puppets?
Simply put, sock puppet accounts are fictitious identities that provide anonymity for their masters when using social media platforms, chat rooms, email, and other online services. They can be leveraged for OSINT investigations to assess emerging cyber threats, gather information on online fraud, abuse and other illicit activities and collect evidence of such wrongdoing, track extremist ideologies or obtain further information on specific trends or issues.
The information collected by these research accounts often goes deeper than easily disclosed information and may require establishing relationships with other people. The entities that operate these accounts run the gamut from law enforcement, private investigators, and journalists to intelligence analysts, network defenders, and other security practitioners, including for efforts targeting detect and mitigate potential threats.
On the other hand, these fake personas can also be deployed to carry out the orders of malicious actors, who may use puppets to help spread spam, extract information, or manipulate their targets. These narratives are also often used in disinformation efforts aimed at steering discussions in a particular direction, amplifying false narratives, shaping public discourse, and ultimately influencing opinions on a broader societal issue. or on an organization.
Sock Puppets in OSINT
Sock puppet accounts allow OSINT practitioners to blend into online communities and gather information without revealing their true identities and without fear of retaliation, especially when their personal safety could be compromised. They can give their “puppeteers” access to closed or private groups that would otherwise be inaccessible to outside observers.
Creating sock puppets requires a fair amount of strategic planning that takes into account variables such as choosing which platforms house the greatest amount of target information, through to brainstorming and then implementation appropriate operational security measures.
To avoid disclosing their owner’s true IP address and for other operational security reasons, these accounts are often used in tandem with tools such as virtual private networks (VPN), Tor (especially when accessing the Dark Web) and proxy services or, where their use is not permitted, public Wi-Fi.
When creating and managing Sock Puppet accounts, a burner mobile phone may also be required. The same goes for dedicated password management tools like KeePass and handy tools like Firefox Multi Account containers that separate each of the investigator’s digital lives.
Obviously, not all sock puppets are the same. Leaving aside ad hoc temporary accounts, which are deleted once their job (like registering on a website or sending an email) is done, the most common and most common use case Interesting may be that of social media accounts, and those require a lot more effort.
It starts with creating an email account that’s impossible to trace back to its owner, then creating a realistic identity with detailed personal information (albeit fictitious, of course). It is equally important to create a credible story and use a consistent voice and tone, supported by sustained activity over time in the form of comments, posts and photos. A plan that outlines account activities – such as tagging and visiting other accounts, posting comments, and maintaining an overall realistic personality – helps avoid setting off alarm bells.
Identify Potential Sock Puppets
Sock puppet accounts can be spotted by:
- behavioral pattern analysis: Sock puppets may follow similar behavioral patterns, such as reposting the same posts or using repetitive language, or displaying a lack of interactions with real users or little or no engagement as such.
- examine profile details: for example, lack of detailed personal information and use of stock images are obvious clues.
- cross-checking and verification: comparing the information provided by the sock puppets with other sources, which allows the data collected to be validated.
Sock puppets in action
Sock puppets play a central role in OSINT, providing its practitioners with a powerful tool for gathering information while maintaining their anonymity. However, understanding associated threats and potential pitfalls is also essential to conducting effective and ethical investigations. To begin, investigators must avoid the risk of detection and know how to identify puppet accounts that could be used for counterintelligence purposes.
It is important to note that the use of puppet accounts also involves ethical considerations and possible legal risks or restrictions, and it must align with the intended objectives and avoid causing unintended harm. “Puppeteers” must also carefully weigh the pros and cons of these characters and ensure that their use complies with ethical standards, legal requirements, and the general goals of responsible information collection.