Register for our next deep dive! Who is Behind Portal Kombat? Exposing the Pravda Disinformation Machine with OSINT on Thursday, June 27, 2024, at 16:00 CET. Grab your spot now! close
22 Aug 2023

How to Use Sock Puppet Accounts to Gather Social Media Intelligence

Daphnée Aguilar

It’s another day operating as an open source intelligence (OSINT) analyst, engaging in digital exploration and online observation of a target person’s social media presence. Yes, there is a euphemism for endlessly scrolling in search of meaningful information for an investigation. And it can be all fun and games until you hit the “like” button under a post at 54 weeks deep. Your heart stops. Your palms are sweaty. Then you remember you’re using a sock puppet account, and the sky is blue again.

This is one of the most common scenarios that an OSINT analyst may face while gathering open source information for an investigation, and it would be terrible if that “like” came from any of our personal accounts.

The second worst-case scenario is that we are indeed using a sock puppet account, but that the target is a tricky one. Oftentimes, a target person may be overly cautious, and decide to look into the curious person behind our follow/friend request – and we, on the other side of the sock puppet, have zero friends, posts, or connections. This would be a large setback, and could set us far, far back.

In this article, we will share useful tips and tricks with all of you, our dear sock puppet accounts managers, on the appropriate operational security measures to take while gathering gated social media information. We also highlight the types of information that can be collected through sock puppet accounts while ensuring the safety of both the investigators and their organizations.

Table of Content 🔗︎

Where to Collect Social Media Information 🔗︎

To succeed in gathering social media intelligence (SOCMINT), start by identifying relevant information and objectives for your search. You should explore various platforms and public databases that aid comprehensive investigations. The key ones to focus on are:

Where to Collect Social Media Information

Investing time to understand a social media platform may seem daunting, but it’s a worthwhile endeavor. Understanding the use of these social networks adds an extra layer of security to our operations.

What Social Media Intelligence (SOCMINT) You Can Collect

The availability of this information may vary depending on individual privacy settings, platform policies, and the content users choose to share.

Passive SOCMINT 🔗︎

Some social media platforms allow users to see the target’s information and activities but will notify the target that someone has visited their profile (e.g. LinkedIn). This is one of the reasons why we need to have our sock puppet accounts from different social media platforms ready to go. Even if you are simply browsing for information, you need to make sure to do it without revealing your identity.

Active SOCMINT 🔗︎

On some social media platforms, the content we need–posts, stories, contacts–are not accessible due to the targets’ privacy settings. In the case where we must interact with the target in some way (for example, sending a friend request) to obtain access, we are employing the active SOCMINT technique.

Whether your chosen approach is passive or active, you should always navigate with the idea that all online activity can be monitored and identified. Understanding the functionalities and privacy settings of each platform gives us a huge advantage when using it for investigative purposes. Mastering the workings of these social media sites and platforms will optimize OSINT and SOCMINT investigations and provide optimal results.

Must-Do Checklist Before Diving into Investigations Using Sock Puppet Accounts 🔗︎

If you haven’t yet set up your sock puppet accounts, this article might be beneficial for you to read first, Creating Sock Puppets for Your Investigations. Now that you’re all set, let’s get started in the next steps to make your sock puppet accounts as safe and legitimate as possible:

How You Can Improve Your Sock Suppet Account

1. Immediately review and set privacy settings for the platform to limit information visibility: 🔗︎

  • Take the time to carefully work through each individual platform’s privacy settings, and configure these to restrict the amount of personal information visible to others.
  • Carefully adjust who can see your posts, personal details, and contact information to minimize exposure to the public and potential adversaries.

2. For passive research, keep the account completely locked down and avoid making the profile public: 🔗︎

  • If you’re conducting passive research and don’t intend to engage with others, it’s best to keep your account private and locked down.
  • By limiting access to your profile, you reduce the risk of unwanted attention or intrusion while still being in a position to observe others’ public content.

3. For active research, create a realistic profile with a suitable backstory, and ensure that it resembles that of a real person: 🔗︎

  • When engaging in active research, such as interacting with subjects, it’s crucial to create a credible and believable profile.
  • Craft a backstory for the profile that aligns with the persona you want to portray and ensure that it matches the platform’s user demographics.
  • Ensure your profile has enough friends, followers, and activity to appear authentic, as sparse profiles may raise suspicion.

4. Use generic landscape photos rather than someone else’s identity, and be cautious with stock images: 🔗︎

  • Avoid using pictures of real people, especially without their permission, as this can lead to identity theft concerns and legal issues.
  • Opt for generic landscape photos or images that don’t reveal any specific personal details to safeguard your own privacy and respect others’ rights.
  • Be cautious when using stock images as some social media algorithms can detect their use, potentially leading to account suspension or scrutiny.
  • Once your profile is set up, engage in natural activities that reflect how a real person would use the platform.
  • Post links to articles or content of interest, like pages related to your profile’s interests, and participate in discussions to appear authentic.
  • Mimicking genuine user behavior will help convince the platform and other users that your account represents a legitimate user rather than a fake or malicious entity.

How to Use Maltego in Combination with Sock Puppet Accounts 🔗︎

Using Maltego in OSINT and SOCMINT investigations is a safe way to collect information.

Through the use of Maltego, we can gather a significant amount of the information we need in a discreet manner, without the need to directly visit social media sites. This is made possible by utilizing different connectors to consolidate data. However, there are times when delving deeper into social might require the use of proxy accounts, commonly referred to as sock puppet accounts.

In the Properties window of each returned Entity on the Maltego graph, you can find links to the source of the information retrieved, such as the original social media profiles. Visiting the original account may be beneficial and allow you to gather additional information about the target, or simply to verify if this account contains the data you are looking for.

It’s not a bad thing to be switching between Maltego and the browser of your preference. An instance of additional information that we might come across involves the target incorporating data or details about their presence on different social media platforms within their profile description.

In our example, we will start with an Instagram Entity. Here, you can paste the complete ID, Alias, or URL of the Entity you want to investigate.

Now, you will be able to run a Transform to see the Name and Properties of the account of interest.

In this case, the Transform result tells us that this account belongs to Taylor Swift. From here, you may look into other details of the account in question and pivot further to Followers, Following, and other pieces of information that are pertinent to your investigation.

Stay Safe During SOCMINT Investigations with Sock Puppet Accounts 🔗︎

To help you conduct a thorough check on whether your sock puppet operation is properly set up and running, we put together a checklist that you can download. This checklist includes all the steps mentioned above and more tips and tricks to try out.

Download the checklist and share it with your team now!

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

Don’t forget to follow us on Twitter, LinkedIn, Mastodon, and sign up to our email newsletter, so you don’t miss out on updates and news!

Happy investigating!

About the Author 🔗︎

Daphnée Aguilar

Daphnée Aguilar 🔗︎

Daphnée is a Criminologist with more than 10 years of experience as an Intelligence Officer. She specialized in developing actionable intelligence for identifying, preventing, and neutralizing threats and risks from Transnational Organized Crime. Driven by the feminist movement, her last research was on the Effects of Gender and Racial Bias on Gender-Based Violence Policies. She considers herself a professional taco taster.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.