Privacy - Security - OSINT
Everyday it seems to get harder and harder to make sock puppet (i.e. ‘fake’) accounts for OSINT research. Services want more information. They require real (non-VOIP) phone numbers. They assume using a VPN = sketchy.
Personally, I blame Russian troll farms.
Regardless of the reasons and restraints, there’s good news for us OSINT investigators. As long as they want to stay in business and grow, the services have to let new users sign up. So all we have to do is convince them that that’s what we are — legit, new users.
As of March, 2021, these are the exact steps I’ve found to be most successful when trying to create a new sock puppet account from scratch. Keep in mind, things change quickly. Websites go down. Apps change. Services adapt. Just like during an investigation, we have to be able to pivot as well.
Follow this sock puppet creation guide step-by-step, in chronological order, and you’ll not only build your accounts today, but learn the process for the future. I’ll try to keep this updated but if you come across any errors, or outdated instructions, feel free to email me at [email protected].
Don’t be tempted to come up with stuff on the fly. At least have these basics figured out beforehand:
As you create new accounts you’ll have to enter a lot of details about ‘you’. Your name, passwords, phone numbers, date of birth, security questions, etc. Free and open-source password managers like Bitwarden (cloud-hosted) or KeePassXC (locally hosted) can be a great way to keep track of it all.
Yes, you actually need a physical phone.
No, ‘burner’ phones are not illegal.
In fact, anyone without a landline should have an extra phone available at all times anyway. What if there was an emergency and your primary phone gets dropped in water, freezes for no reason, or you just can’t find it?
Nowadays, it’s nearly impossible to setup accounts (and keep them alive) without having a non-VOIP phone number. Buy a cheap, used Android as anonymously as possible. I know that’s vague, but a detailed explanation is beyond the scope of this article. Do some research, get creative, and figure out how to buy one with cash. Then wipe it clean a few times.
A new SIM card gives you a new phone number. It does not make you anonymous. The physical device has a hardware ID that cannot be changed, so tracking different SIMs back to a single device isn’t hard. Hence, the reason you paid cash for a new device in the last step.
Currently, if you live in the U.S., the best deal on SIM cards is Mint Mobile’s 7-day trial for $0.99 on Amazon. You can buy that anonymously, too, if you create a new account, pay with a privacy.com masked credit card, and have it shipped to an Amazon locker. But again, beyond the scope here.
Shut down your device, change to the new SIM card, then boot it back up again. Just for the fun of it, go ahead and wipe that used device one more time. Can’t be too over-cautious.
You don’t want to do any of this at home or work where you’re sharing your real IP address. You also can’t use a VPN as that will almost always prevent you from creating accounts. Use a local library, mall, or coffee shop. Try to choose a location that’s not right next to your house, but is close enough to travel to. You’ll be coming back here in the future.
Download and install the following apps in this order:
Ideally, you’ll use a hardware token like YubiKey when possible. It’s not only the most secure method of using 2FA, it’s the most convenient in my opinion. Unfortunately, not every service uses it, so setup Authy (or your chosen alternative) as well.
This is your central email account. You may setup forwarding services or other email accounts later, but you’ll want to have one primary, centralized email account everything else forwards to.
What email service should you use? Well, that’s debatable. You want an account that looks normal (making account creation easier). Privacy-centric email providers like ProtonMail or Tutanota often get flagged. Temporary email services are out of the question, too, as you’ll likely need it in the future. I hate to say it, but my recommendation is:
Yes, I know, it’s Google. Yes, it’s spying on you. Yes, ProtonMail and Tutanota are better. Yes, it hurts me personally to recommend it, hence the lack of bold text.
But if you followed the steps above, it’s not connected to you anyway. And since you’re only using it for sock puppet accounts, you shouldn’t really care what information it has about ‘you’. Plus, you’ll probably ending up using a Google Voice number here soon, so bite the bullet and set up a Gmail account.
See, I told you you’d be setting up Google Voice. Yes, there are better options like MySudo. You could even go through the hassle of manually purchasing numbers direct from Twilio. If you have the time and patience to, feel free. But Google Voice is quick, easy, free, and you don’t care if your personas info is tracked anyway. Just pick your poison and create a VOIP number you so you’re not reliant on Mint Mobile.
You should have everything you need to build your accounts, be it on Facebook, Twitter, LinkedIn, Instagram, etc. Take your time, create each account from start to finish, and store all the information in your password manager during creation, in this order:
Only once you’ve created your account, and have confirmed you can log in using Authy for 2FA, should you move on to building the profile.
Spend some time building up your profile. Imagine you were actually that person you’re pretending to be… what would they do? Do those things. At the very least, be sure to:
Now stop. Don’t overdo it.
Log out of this account and move on to the next account you want to create. Wash, rinse, repeat.
Congrats, you did it! You have working sock puppet accounts! Now, do you want to have to go through all that again in a day or two?
Didn’t think so.
Nothing will completely prevent your accounts from getting shut down, but you can make it less likely by aging them. Try not to use them for a few days, ideally a week. Let them simmer.
Then, go back to the same place you created them. Connect to that same public Wi-Fi. One by one, log in to each account and engage other users like your persona would.
Follow more topics.
Like and share posts.
Make some comments.
Follow people and request connections.
Teach the service provider that ‘you’ are a normal person, doing normal things, and it will be less likely to lock you out in the future. Once you’ve done all that, log out of everything and let it age for another week.
You should now be good to go. Your accounts are created and reliant only on your VOIP number and software-token 2FA. Your profiles look real to humans and pretty legit to algorithms as well. Feel free to go forth and OSINT.