From Sock Puppets to Puppet Masters
Passive Open Source Intelligence (OSINT) collection through unsuspected sock puppet accounts that keep a low profile can take an investigation very far. But what happens when the information you need is not available online and cannot be obtained through passive reconnaissance? What happens when you need to incorporate a few HUMINT (Human Intelligence) techniques in order to elicit and collect the information that will be able to resolve your case? And what happens when your sock puppet account needs to be able to get noticed, attract the target and cause them to engage? This is where you start to play with smoke and mirrors.
Disclaimer: This blog post focuses on investigations that involve active reconnaissance and HUMINT collection. It mainly addresses investigators that have been legally authorized to conduct active reconnaissance and covertly engage their targets.
What is active reconnaissance?
First, there needs to be a clear differentiation between active and passive reconnaissance. OSINT activities most often fall under the category of passive reconnaissance. This means that the researcher/investigator is producing intelligence by accessing information that is publicly available. Therefore they are not directly interacting with the subject of their investigation and stay mostly unnoticed. In active reconnaissance however, the investigator IS meant to engage with their target in some way and they will get noticed.
When it comes to creating sock puppet accounts, the characteristics of passive VS active sock puppets are as different as the types of reconnaissance they aim towards. There are plenty of blog posts written about sock puppet accounts that are built to conduct passive reconnaissance. We will focus on the active ones. Active sock puppet accounts will get noticed. You want them to. They involve much more risk, which is why the investigator needs to be much more diligent with their operating security (OPSEC) both during the creation and while using their active sock puppet.
Active sock puppets are used during an investigation when the information collection needs go beyond what can be found publicly available through OSINT. This is when OSINT partners up with HUMINT. The marriage of these disciplines involves utilizing OSINT and HUMINT techniques to engage a target and elicit information essential to the facilitation or resolution of a case. They are also used for investigations that involve infiltrating a criminal group/organization. In this blog post, the focus goes on developing the right persona for a honeypot sock puppet account.
What is a Honeypot Sock Puppet Account?
A honeypot sock puppet account’s goal is not to initiate contact with their subject but rather, to attract the target into initiating contact with “it” first. This approach comes with a multitude of benefits, most of which have to do with the trust advantage that an investigator gains by having their target contacting them first.
Active sock puppets should NOT be used by volunteers, hobbyists, or anyone wanting to support the #OSINTforgood movement, as this could damage ongoing investigations, break the ethical code of conduct on multiple levels, and the sock puppet owner/user could get into legal trouble. Active sock puppet accounts should be used by professional investigators that have been legally authorized to engage with their targets.
Gaining a Trust Advantage
In most cases, when a stranger online (or in-person) approaches another person, there are a few thoughts that immediately come up: “What do they want from me?”, “Is this person a threat?”, “How long will this take?”, “What do I get out of this interaction?”
These are all mental guards that are in place to protect us. But when you have a trust advantage in place before or during the initial interaction with your target, these mental guards are either weakened or completely taken down. When an undercover investigator starts engaging a target, they need to have this in mind and work to overcome this obstacle.
There are 3 main ways in which your sock puppet account could approach a target (view image below). Which one do you think could give an investigator the biggest trust advantage?
The truth is that there is never just one way, and that the answer will depend on other parameters too, such as the naturally existing time constraints of the investigation. But if you have the luxury of time, a combination of the 2nd and 3rd approaches would provide the biggest trust advantage.
Whether you intend to directly approach or be approached by a target, having being noticed by them in advance can provide some very advantageous investigative benefits. Most importantly, your subject will perceive you as less of a threat and you will have fewer mental guards to fight with. Anyone who has ever worked in human intelligence gets goosebumps just by the thought of this.
You can initiate this process by starting to interact with accounts that your target associates with, likes, supports, or belong to their close friend circle, and not with your target. Interact more with the posts that do not receive much attention from others, as this will make your sock account stand out and get noticed faster. If you comment, make sure that the opinions you express are in alignment with the projected mentality of the account owner and the one of your target’s.
Here is what this will do for you:
· The algorithm will soon do its job and make your account or posts visible to your target. Your appearance in their timelines can occur on a regular basis, depending on how often your sock puppet interacts with the associates of the target(s).
· This visibility will subconsciously breed a sense of familiarity. The target might notice your sock and ignore it at first, or find it intriguing enough to engage faster- it depends on their personality. The more visibility & familiarity you breed in advance, the less threatening the target and their associates will perceive you, and the bigger the chances of accepting you in their “environment”. Remember, the virtual environment we build is a type of personal space. In crime pattern theory, this is called the “awareness space” of a target — your goal is to insert something in that space that will trigger them to engage with your sock puppet.
· If your sock puppet persona projects the target’s victim typology, they will feel the urge to approach you. If it projects the right persona, it will work like an almost natural magnet.
“But what would make someone notice my sock account?”, I hear you ask.
Building The Honeypot Persona
Criminal investigators know very well that in most recurring offenses there are crime patterns. These do not only have to do with the method and the circumstances under which someone commits a crime, but also with the victims they choose.
Years of forensic studies and research points out to the finding that often, the victims of a recurring offender will tend to share very similar characteristics. Often these characteristics are unique to the offender. Many perpetrators tend to have a victim typology, or in other words an “ideal victim” that triggers them the most and they feel the need to victimize. However, similarly, the victims of a specific type of crime also tend to share similar characteristics. We won’t go into the why this happens here, as this is labyrinth that leads into the abyss.
Victim typology refers to both physical characteristics and attributes but it could also include behavioral ones.
How can you know what your target’s ideal victim would be?
Sometimes this information is found through closed sources. If there are reports on previous offenses the individual/group is suspected for, there should be some patterns that can be found by analysing the victims in previous reports or other closed sources.
If you do not have information coming from closed sources, you can rely on open sources to create the sock account’s persona and aim to achieve the highest probability of getting noticed. How?
· Do your homework. There is plenty of scientific research available online on the victim typology that is associated with different crime types, both in terms of physical and behavioral characteristics. This should provide you with some first ideas.
· Observe your target and their online behavior. Do they state their preferences? Try using the advanced search option of their social media platforms. Research their profile through keywords like “my favorite", "can’t resist”, “my weakness”, and other emotionally loaded words/ statements that reveal their preferences. Rely your assumptions on recurring patterns, if possible. You may also observe their interactions. Which types of people are they particularly warm towards? Which ones do they try to intimidate? Even if you do not identify their “ideal victim” typology, you will identify the type of people they like to interact with.
Small pieces of information can paint a pretty detailed image, once the pieces of the puzzle start coming together.
· If you do not target a specific person but a group of people, rely more on their general victim typology. Make sure to create your honeypot accounts/ ads on the platforms these groups frequent. For example, it is not rare for law enforcement to trap pedophiles by pretending to be parents of young children, willing to make them available to other adults on some shady websites. The perpetrators initiate contact first, while the investigators respond and engage them in conversation. In this conversation they will utilize HUMINT techniques to elicit information on the perpetrator’s preferences, modus operandi, admissions of other acts etc. They maintain their cover throughout the operation while the chats end up in evidence. Once the person behind the account is identified and a meeting “to meet the child” is arranged, they have grounds to get them arrested.
· Avoid looking like a neutral account — your sock puppet persona needs to have a flavor. Specifically, the one your target likes.
· Figure out the look and behavior of your target’s most dominant victim typology or the type of accounts/people they like to interact with.
· Make your persona reflect the above stated characteristics first in appearance, and then in behavior. Reflect, but do not imitate or copy.
· People evaluate appearances first, and make subconscious decisions about whether the account whose profile they have visited looks trustworthy (admit it, you have done it too). Therefore make sure to have visual elements that support the persona you are trying to build and to interact in a natural fashion.
· Maintain a long-term perspective. You cannot have a week-old account and expect to look trustworthy. Make sure you maintain this sock account for quite some time.
· Create other online content and social media accounts and breathe more realness into your online persona through different platforms. Remember that your target may do a background check on who the person they engage with is, and it would be good If they found some other social profiles or forum contributions from your fake persona.
In our class “Fundamentals of Cyber Investigations & Human Intelligence”, I often ask our students which of the following 4 personas they would choose if they wanted to create a honeypot sock puppet account that would attract love scammers to engage with them. These were the options (pictures taken from thispersondoesnotexist.com):
The answers vary greatly, but most often they pick the persons depicted in picture 1 or 3 with the reasoning that these pictures would gain their attention and that they seem to be the faces that would attract a man’s attention at first sight. Although anyone could be a target, in terms of probabilities, the women depicted in pictures 1 & 3 are not reflecting the characteristic of the most frequently approached victims of romance scammers. The reasoning “I personally would want to approach the person in picture X” is fundamentally flawed because it lets personal assumptions or preferences impact the selection of the sock puppet persona.
On the other side of this, there is plenty of publicly available research on who a romance scammer would actually choose to approach and victimize. The research reveals both physical and behavioral/psychological attributes of the type of people romance scammers perceive as the most “vulnerable” to victimize. For example, the paper below gives plenty of insights that could help an investigator create a fitting honeypot sock puppet persona:
Different research papers point out to similar findings: The most dominant victim typology is middle-aged women, around 40–60 years old. The scammers would not necessarily look for a wealthy victim but for a fragile and susceptible one, that does not seem to receive much attention from other males and potentially feels lonely and seeks attention. These are the characteristics that an effective honeypot sock puppet account should reflect in this case.
Of course this is a simplified scenario. In other investigations sock puppet accounts might need to act as honeypots for specific victims. Or they might need to initiate contact with a specific target and/or infiltrate a specific group. The sock puppet creation involved with approaching and engaging with specific targets is much more complex and requires most attention.
We discuss the characteristics that are necessary for these types of sock puppet account creation and their respective operational process in our online class “Fundamentals of Cyber Investigations and Human Intelligence” that Samuel Lolagar & I have created.
If you are a law enforcement investigator, threat analyst, criminologist, fraud analyst, investigative journalist or a curious intelligence professional interested in learning more around intelligence collection & analysis take a look at our upcoming 1-day, online interactive course delivered on the 6th of May, 2021.
We will be teaching essential techniques & methodologies in Open Source Intelligence (OSINT), Social Media Intelligence (SOCMINT) and Human Intelligence (HUMINT) and on how to combine the three disciplines for optimal results using examples and exercises.
To view the course outline and to register you may visit: https://fcihi.teachable.com/p/signup