By Mariel Klosterman

Junior at Beacom College of Computer and Cyber Sciences, Dakota State University

When you search “sock puppet accounts” using Google, there are a few definitions that show in the search results, and they all follow a common theme. The most common definition is found on Wikipedia’s entry: A sock puppet or sockpuppet is an online identity used for purposes of deception. Daniel Kats, Senior Principal Researcher for NortonLifeLock Research, held a similar view in his article, “Identifying Sockpuppet Accounts on Social Media Platforms:” “We define a sockpuppet as a fictitious online identity created for the purposes of deception.”

Sock puppet accounts are mainly known to those outside the information security field as accounts used for disinformation purposes, such as swaying your opinion about a topic or a product. However, this is not the only way to use a sock puppet account.

For the purposes of this discussion, the following definitions will be used:

  • Sock puppet account: An account created for a disingenuous purpose (that is, for a purpose other than what it is meant to be used for). More commonly known as a fake account or alternate account.
  • Puppeteer: A person who creates sock puppet accounts for either benign or malicious purposes.
  • Malicious actor: A person who, through any means, threatens or attempts to threaten the security of an individual or company for malicious purposes.

In this 4-part blog series, up-and-coming cybersecurity researcher Dakota State University Junior, Mariel Klosterman, describes the how sock puppets are used by malicious actors and OSINT investigators, types of sock puppet accounts, and how to create a sock puppet for information collection. This week she explores two types of sock puppet accounts.

A sock puppet account allows the puppeteer to act in ways that will not be tied directly back to the creator of the account. There are generally two types of sock puppet accounts: Information Distribution and Information Collection.

Information Distribution

These accounts are most often labeled “sock puppet” and gain more publicity than Information Collection sock puppets. Many articles discuss Information Distribution sock puppets, which is how many people are aware of their use for malicious purposes (See Resources at the end of this FactSheet). Often, more than one of these “fake” accounts will be created to carry out the puppeteer’s mission. After creating these accounts, the puppeteer uses these puppets to spread either good or bad opinions about the target. Some examples include Lee Seigel, R.J. Ellory, and Orlando Figes. Sometimes this type of account is used to spread media often found to be propaganda.

Information Collection

These accounts, not as highly publicized, collect information on targets instead of spreading information about them. Depending on the level of detail put into the creation of the sock puppet, the account can appear to be that of a living person. These accounts are often created to access content only available to members on a specific platform. Depending on whether the puppeteer is conducting active or passive reconnaissance, the puppeteer may decide to have their sock puppet interact with the target. This type is often used by open source intelligence (OSINT) investigators or people conducting reconnaissance on a specific target.

Given that 50.64% of people across the globe use social media (~7.82 billion people), this is a good way to find information on a target, especially since many are not mindful of the information they put out and, in doing so, often overshare.

Like what you’re reading? Download the entire Hg Summer Factsheet, 21st Century Sock Puppets: Pulling the Wool Over on You, for free today!

Mariel Klosterman, a junior at Dakota State University, is currently majoring in Network and Security Administration. Her areas of interest are defensive security and open-source intelligence (OSINT). Ms. Klosterman has conducted significant research relating to sock puppet accounts, which are an integral part of OSINT and digital investigations. She has organizational experience writing security policies, conducting security assessments, and implementing data protection controls and training. She is an accomplished speaker, presenting on a wide range of topics in the cyber arena to local professional groups including InfraGard South Dakota. Ms. Klosterman is passionate about security and enjoys sharing her knowledge and skills working for CybHER. Check out her latest projects at www.linkedin.com/in/marielklosterman.