Kodama the Chameleon

Threat Intelligence and Other Contemplations…

   ___       __  _     __   
  / _ | ____/ /_(_)___/ /__ 
 / __ |/ __/ __/ / __/ / -_)
/_/ |_/_/  \__/_/\__/_/\__/

Anonymizing Your Sock Puppets

kodama

|

You’re not real without your phone! At least, that seems to be the conclusion much of internet has reached. When so much of the online ecosystem revolves around tracking and selling your personal data, there are very real financial concerns when it comes to validating the identity of users for major social platforms. Unfortunately, blending in online isn’t quite as simple as rearranging the lattice of nanocrystals in one’s iridophores (it’s a chameleon thing).

You don’t have to hang around long in the Open Source Intelligence (OSINT) world to become familiar with the term, sock puppets. Think of them like undercover agents for online investigations. Using these fake identities, investigators can gather information online without blowing their cover or are able to gain access to areas of the internet not accessible using their real identity. Trace Labs offers a tutorial on setting up sock puppets in preparation for their capture the flag (CTF) search party events, Introduction to Setting up Sock Puppets for OSINT. While we won’t discuss them here, there are definitely ethical and legal considerations to keep in mind when creating and using sock puppets.

As discussed in Trace Labs introductory video, various considerations need to be made when creating a sock puppet including the level of anonymity. If anonymity is less of a concern, then utilizing your usual email or wireless provider for contact information to create the sock puppet should pose less of an issue and simplify the creation process; however, I wanted to investigate the creation of a more persistent profile.

One of the more common mistakes in anonymizing your sock puppet is exposing your public IP address. Various methods exist for this purpose though they all involve some sort of proxy. For my research, I used a free VPN called Windscribe; however, a more secure and private method would be to utilize an OS like Tails in combination with the onion router (TOR). That being said, many sites may flag you just for coming from known TOR exit nodes or VPN sites. I guess they get spooked just when you line up to take a shot at ‘em. More secure isn’t always the better option.

Next you will want to setup an email account since just about every site requires one. A throw away protonmail or outlook address should not be too hard to acquire amongst several other available options. Just like with IP addresses, your email domain matters to your target social media vendors. Whereas a protonmail address might trigger a number of red flags, a gmail account would be gold in many situations (though a lot harder to get anonymously). Some email providers will require a secondary means of verification in order to create your account. If they ask to verify via email, there are plenty of temporary email mailboxes online which can be used to get you started; however, if they ask for a phone number, well… that’s where it starts to get pretty tricky.

Whether it’s creating your anonymous email or the social media account itself, the phone number is the hardest part to bypass without putting real money down. Like the temporary email accounts mentioned in the previous paragraph, various websites do offer temporary short message services (SMS); however, most of these sites are so trolled by bots that it takes a lot of luck and a good bit of persistence to find a number that hasn’t already reached the maximum number of times it can be used to verify an account (assuming it’s a legit and active number in the firstplace). Many websites prevent the use of voice over IP (VOIP), such as google voice, numbers for verification purposes. If you are really serious about anonymity, probably best to go ahead and fork over the money for a burner phone. Just be careful, even the process of buying a burner phone requires certain precautions to remain truly anonymous.

Aside from the email and phone verification techniques, there were a few unique validation procedures I came across. One of the more notable ones requires the user to take a selfie holding a sheet of paper with the user’s real name, username, and a onetime code generated by the site and upload the selfie to the website. Other variations might require specific gestures in the selfie. Challenges like these add an additional layer of complexity, but they are nothing a little photoshop can’t easily bypass.

Not surprisingly, certain sites were much more difficult than others to create sock puppets. I am not in the business of public shaming, so no names will be mentioned here. Let’s just say, this chameleon will be much more skeptical of certain connect/friend requests in the future based on the platform. Creating believable sock puppets as well as spotting them may just be a good subject for a future article. No promises!

, ,