Some of Your Online Friends are Sock Puppets
Fake accounts that both bad actors and legitimate investigators use to gather information and how to recognize them
Every day I have suspicious accounts that try to befriend me on LinkedIn and other social media. Some have AI-generated images or gender mismatches, others are half-empty and have name patterns with other users who tried to become my friends yesterday. And some of them are well-aged accounts with following and posts.
They are all sock puppets or bots, and they are created to gather information or be involved in illicit activities. This activity goes against the Terms of Service of pretty much every website, but it’s almost impossible to stop.
To recognize a sock puppet or any fake account, investigators need to know how they were created in the first place.
Persona generators
Generators create fake profiles with a wide variety of information. You can get bad actors a name, birthday, address, physical description, SSN, mother’s maiden name, phone number, email, examples of usernames/passwords, card numbers, employment history, car license plate, and something fun, like their favorite colors or an astrology sign. All of this information is random, it’s not a real person in any way possible. The addresses, SSNs, and card numbers are also random combinations of letters and digits.
Generators can create profiles for different genders, ethnicities, and countries. Examples of profile generators are Fake Name Generator, Elfqrin, and DataFake Generator. Chat CPT is another way to create a persona, and you can always add a fake resume from This Resume Doesn’t Exist.
Images
Many free services provide AI-generated pictures that are often used for profiles. I wrote a blog post on how to recognize an AI-generated photo with examples of images used in real scam cases. The telltale signs are usually face asymmetry and background issues. These pictures generally have become more recognizable, so many other services were invented to avoid it. Examples of image generators are This Person Doesn’t Exist, Morph Thing, and Generated Photos. It’s always a good idea to run an image through a reverse search because it might be taken from a real person or stock photo websites.
Account Age
Account aging is a process of creating an account and posting, commenting, and liking for some time to avoid suspicion. Aged accounts are a commodity, especially for Facebook and Instagram, whose prices usually start from $2. Social media often flag accounts created in the last 30 days and remove restrictions after that period. They also want to see a familiar IP pattern and other normal user behavior.
There is an interesting idea from a service Have I Been Pwned saying that if an email has never been found in any security breach, it was probably used in an account created to game the system and it was never a part of a normal internet activity. Almost all my emails were found in some breaches, so I guess I am a real person.
Anonymity
Burners, or prepaid phones, are available in almost every tech store, as well as virtual credit cards, prepaid cards, or gift cards that protect anonymity. Using burners, VoIP phone numbers, encrypted emails, VPNs, public Wi-Fi, and cryptocurrency can provide a lot of privacy and make a believable and almost untraceable person.
Humans Behind Puppets
Creators of sock puppets hide their IPs and use clean emails and phone numbers. But they are still people and they can make mistakes by using their birthdays, partial names, or hobbies and interests. They also might be posting during their awake time and not when their sock puppet is supposed to be active. Or they might be bots and, in this case, they post at the same every day.
As a disclaimer, there is a need for legitimate investigators to create sock puppets to avoid recognition and keep privacy and anonymity levels high. Social media can recommend accounts based on the activity of their users, IPs can be traced, and the use of real phone numbers and emails can lead to bad consequences. It’s illegal to impersonate a government employee, including a law enforcement officer, in the U.S. but it’s not illegal to have fake online personas for open-source intelligence.
 
             
            