Sock Puppets as Bad Actors

By Mariel Klosterman

Junior at Beacom College of Computer and Cyber Sciences, Dakota State University

When you search “sock puppet accounts” using Google, there are a few definitions that show in the search results, and they all follow a common theme. The most common definition is found on Wikipedia’s entry: A sock puppet or sockpuppet is an online identity used for purposes of deception. Daniel Kats, Senior Principal Researcher for NortonLifeLock Research, held a similar view in his article, “Identifying Sockpuppet Accounts on Social Media Platforms:” “We define a sockpuppet as a fictitious online identity created for the purposes of deception.”

Sock puppet accounts are mainly known to those outside the information security field as accounts used for disinformation purposes, such as swaying your opinion about a topic or a product. However, this is not the only way to use a sock puppet account.

For the purposes of this discussion, the following definitions will be used:

• Sock puppet account: An account created for a disingenuous purpose (that is, for a purpose other than what it is meant to be used for). More commonly known as a fake account or alternate account.
• Puppeteer: A person who creates sock puppet accounts for either benign or malicious purposes.
• Malicious actor: A person who, through any means, threatens or attempts to threaten the security of an individual or company for malicious purposes.

In this 4-part blog series, up-and-coming cybersecurity researcher Dakota State University Junior, Mariel Klosterman, describes the how sock puppets are used by malicious actors and OSINT investigators, types of sock puppet accounts, and how to create a sock puppet for information collection. This week she explores how sock puppets can be used to cause damage to reputation and financial stability.

Sock Puppets as Bad Actors

One may think that sock puppeteers only target high-profile subjects such as celebrities or Fortune 500 companies. However, a malicious actor can use sock puppets to target people in your profession, your business, and you as a person, regardless of who you are or what you do.

In a video by YouTuber Emily Artful, Emily claimed that an ex-boyfriend and his girlfriend used a multitude of sock puppet accounts to harass and bully her through social media accounts and comments left on her videos. The pair also used the social engineering tactic of connecting one of their sock puppet accounts with numerous friends that Emily had and used that to convince Emily that she knew them. She also claimed that they phished her and locked her out of her Facebook account. While it is an alleged story, it is an illustrative example of how sock puppets can be used against a person.

In another video by Emily Artful, she described how someone posing as her was requesting art supplies from companies in return for a video review. They referred the companies to Emily’s YouTube channel, claimed that the listed email address was wrong, and provided another email to the company. Some companies realized that something was not right and contacted Emily via the email address from her channel. However, other companies were not so fortunate. Many were small or medium-sized companies—some actually hand-mixed the paint—and felt the financial impact from the loss.

On April 14th, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released an alert discussing recent reports from Google and Microsoft regarding targeted attacks on security researchers. The malicious actors created sock puppet accounts as well as websites and posed as security or exploit researchers. The sock puppets reposted high-quality content and posted about their own exploit research located on their website. After they built enough of a following, the sock puppets would contact security researchers and offer to collaborate on a new exploit. If the security researcher went to the website, a browser exploit would attempt to run malicious code. Another option was that the malicious actor would send a Visual Studio project to the security researcher. Once opened, the project would run malicious code.

It is a reminder that whether in your personal life, career, or business, malicious actors’ use of sock puppets can have devastating effects on you. However, sock puppets are like any other tool: They can be used for ethical or malicious purposes. While it is true that many sock puppets are used to spread disinformation or lies, they can also be used to find information that helps protect a person or a business or find a missing person. One such way is Trace Labs, a nonprofit organization that uses OSINT (sock puppets, in particular) to help find missing people. In the following section, we explore how sock puppets can aide OSINT investigators.

Like what you’re reading? Download the entire Hg Summer Factsheet, 21st Century Sock Puppets: Pulling the Wool Over on You, for free today!

Mariel Klosterman, a junior at Dakota State University, is currently majoring in Network and Security Administration. Her areas of interest are defensive security and open-source intelligence (OSINT). Ms. Klosterman has conducted significant research relating to sock puppet accounts, which are an integral part of OSINT and digital investigations. She has organizational experience writing security policies, conducting security assessments, and implementing data protection controls and training. She is an accomplished speaker, presenting on a wide range of topics in the cyber arena to local professional groups including InfraGard South Dakota. Ms. Klosterman is passionate about security and enjoys sharing her knowledge and skills working for CybHER. Check out her latest projects at www.linkedin.com/in/marielklosterman.