We all have created fake profiles in the past for different purposes: checking an ex's profile, looking into a new employee's background, or simply satisfying our curiosity about someone's online presence.
These fake profiles, often referred to as "sock puppets" play a significant role in OSINT (Open Source Intelligence) investigations. But beyond casual snooping, these tools can be powerful assets for cybersecurity professionals, private investigators, and journalists.
The Art of Sock Puppetry in OSINT
Creating a convincing fake profile isn't as simple as slapping together a few random details. It requires a thoughtful approach to make the persona believable and useful.
Some people might think that following a step by step approach to create a fake entity it's not neccesary, but it is a must if you want to protect the real identitie of the person behing the sock puppet.
The two approaches
When creating a fake entity you first need to decice which of the two approaches are going to follow, either active or passive.
Passive
When you opt for the passive approach, it involves gathering information without directly interacting with the target. In this method, sock puppets are invaluable, allowing investigators to observe and collect data covertly.
Active
This is the more aggresive approach as it involves direct interaction with targets to gather information. A good and safe sock puppet is esential to avoid any suspicios thoughts from the target's site. An active approach often implicates:
Engaging in Conversations
Joining Groups and Communities
Elicitation Techniques
Creating a Sock Puppet
While I could explain you the different techniques that can be used in active and passive OSINT, today we will just focus on the procedure to create a sock puppet.
The first and most important thing that you should start with it is to have a email account with a safe provider. Never and I repeat never use your personal email account to create a fake profile, as a matter of fact never use any email address that could be tracked down to you or anyone close.
Other thing you should have in consideration is to not use any famous provider like Gmail, Proton email, Outlook, Yahoo or other popular email provider, instead opt for FastMail. This email provider allows you to create free email accounts for a period of 30 days, what is good enough for short investigations. If you need more time you could always buy the individual membership for 5$ a month. There are two main advantages,
They will not ask you for a second email address, and being less popupar than other email providers makes less likely that facebook or instagram have special security measures for emails from this provider.
Facebook and Instragram
Creating a new Facebook account often requires phone verification, but there's a workaround. First, disconnect any VPNs or IP-masking tools and use a standard residential or business internet connection. Make sure to clear your internet cache and log out of all accounts. Instead of using facebook.com, go to m.facebook.com—the mobile site, which is more lenient. Use your previously set up Fastmail email for registration, which typically allows you to bypass the phone verification step. If you encounter issues, try using public library Wi-Fi, which can be more effective. The same approach applies to Instagram, as it shares Facebook's security protocols.
Google has increased its scrutiny of unusual account sign-ups, yet creating a new account remains feasible. Google often rejects registrations made through Tor or VPN services. During the registration process, providing your Fastmail email can meet their validation needs. Furthermore, account setups tend to be more successful when using Google's own Chrome browser, compared to more privacy-oriented browsers like Firefox, likely due to Google's affiliation with Chrome.
2MFA
Once you create an account, you should enable two-factor authentication (2FA). This extra layer of security, involving a text message or a software token like Authy, confirms to the service that a genuine person, not a bot, is managing the account. This step bolsters the account's credibility and protects it from misuse.
Mobile Number
When a service flags a new account as suspicious, it usually asks for a valid cellphone number, not accepting landlines or VOIP numbers. you can use Mint Mobile SIM cards, available on Amazon, which sometimes include a phone number with a one-week trial. You ca activate the SIM on an old phone, use the number for account registrations, and then switch to a VOIP number and add 2FA for security.
Profiling a Sock Puppet
Done! that's it you have created your first sock puppet, now if you don't to raise any suspicions, you need to complete or fullfil your profile with information.
While an empty sock poppet could be good enough to perform passive OSINT it could raise alerts on the service providers and your targers
Name and background
While you could create your own alias and background, I will sugest you to use one of the multiple tools online that will automate this process. One of my favorites is https://www.fakenamegenerator.com/
If you are planning on doing an active investigation you could always create an account with a background similar to the one of your target. (Same city, similar school, similar hobbies, etc)
AI has also gain a lot of reputation on the last years, you could prompt a message to chatGPT asking for fake details and background for a person and it will provide you with it. If it gives you any problem, just write that it´s for educational purposes.
Images
What if i tell you the woman in the picture above doesn´t exit, would you believe me? Probably your target wouldn´t believe it too. Whenever you want to set up a profile image for your sock puppet account, I recomend to use https://thispersondoesnotexist.com/ It will create random images of people thanks to AI. Some of them might have some problems or bugs so check them out before submiting to your sock puppet account.
Comments