A sock puppet is a fake account which can be used to hide the true identity of the owner for operational security reasons (used by both attackers and security researchers).
They can either be used for passive recon, active engagement, or honeypots. Passive recon sock puppets are often used by researchers or private investigators to avoid their target to knowing who is looking at their social media accounts. Nation state actors, or researchers seeking access to cybercriminals' dark web forums, often use active engagement to solicit sensitive information or build connections. Honeypots are commonly created by corporations to lure cybercriminals and filter BEC attempts directly to the security team.
Usually, creating a fake person will violate the terms of service for most social media platforms, so if your goal is anything other than academic research purposes, it's probably worth re-thinking. Additionally, impersonating a real person can often violate laws in the USA and other countries (particularly if that person is law enforcement or military).
There are two tracks to follow when creating a fake person. Either you're creating a fake identity - someone who appears to be a real person, but doesn't actually exist, like 'Norm Smith' - or an avatar of a person based around an idea - such as a Twitter persona like '@ChristmasFan'. They're not pretending to be a complete representation of a person, just someone who likes Christmas a lot and can authentically participate in discussions.
The first option is significantly more difficult, as you'll need an identity to support the fake persona - other social media accounts (with a fairly extensive history), other online accounts, information to support this identity. Also, if at any point someone figures out that this person isn't real, you'll have to start completely over. The second option is a little easier, since you won't necessarily have to create an identity around it, but that also limits its effectiveness in certain scenarios.
Corporate honeypots are the easiest of the bunch, as they can be as simple as a fake LinkedIn profile with a corporate email address that silently forwards all requests to the security team (easy to set up if you work for the organization's security team), though they can also be set up as fully formed sock puppets, depending on the needs of the organization. For more detailed information on setting up corporate honeypots, check out this article.
When setting up a sock puppet, it's important to first think about your goals. Most people don't need a system which can stand up to intense scrutiny from nation states (though if you do, go the Michael Bazzell route), and can be slightly more relaxed about how they hide their presence. So, first, figure out your own threat model. What is your goal in setting up a sock puppet? Which threat actors are you worried about?
Once you've figured this out, you're ready to get started.
Figure out money:
- Extremely Secure: Anonymously buy bitcoins or other cryptocurrencies via a local swap. As bitcoin isn't truly anonymous, and large transactions can raise red flags, keep transactions relatively small. Alternatively, buy visa gift cards in cash.
- Cutting Corners: Use privacy.com to mask your credit card when making purchases.
Set up a clean computer:
- Extremely Secure: Buy clean hardware with Bitcoin/Monero/other cryptocurrency on a dark web marketplace, arrange a dead drop and pick up your new (very clean) device. Then, use an operating system like TAILS, which is designed for privacy (or get an iPhone or Android on the same dark web marketplace and use a Tor-power Onion Browser) More details.
- Cutting Corners: Spin up a clean VirtualMachine (VM). Alternatively, buy a Raspberry Pi or cheap laptop on Amazon (using a burner (single-use) Amazon account, where you can ship to an Amazon pick up box and pay with a visa gift card or a card from privacy.com).
It's probably also a good idea to install a couple of chrome extensions to help you remain anonymous. I like AdBlock, uBlock Origin and Disconnect Me.
Get a clean phone number:
- Extremely Secure: Buy a pre-paid phone in cash in a store without security cameras. Ideally you would pick up several SIM cards in different countries, all in cash (there's a great SIM card vending machine at JFK airport in NYC). If you do go this route, don't forget to activate the card before leaving the country you bought it in, and ensure you keep it active (some countries will return numbers to circulation if they aren't used semi-regularly).
- Cutting Corners: Set up a free phone number with Google Voice or an app like MySudo. **Some online services no longer accept these types of phone numbers as 2FA. If you're interested in this route, and in the United States, one of the easiest options is Mint Mobile SIM cards which you can get either in a store or on Amazon (using a burner Amazon account, where you can ship to an Amazon pick up box and pay with a visa gift card or using a card from privacy.com). These come with a limited time-free trial, which you can use to set up 2FA, then switch to a VoIP number.
If you're creating multiple sock puppets, make sure you track which number goes with which sock puppet - each will need a separate number, otherwise you'll contaminate the identities.
Secure the Identity:
- Extremely Secure: Don't use more than one identity on a single device.
- Cutting Corners: Don't use more than one identity on a single VM.
Using multiple aliases on a single machine will inevitably link them, contaminating each identity and ruining their ability to be truly independent. This needs to be maintained for the life of the alias - you need to ensure everything you do on that device or VM is consistent with the alias you've created. Ensure you don't download the wrong software, give out the wrong information, or connect to the wrong wifi/site while using another aliases' device.
Now, you're ready to create a persona!
