Stalkers, Sock Puppets, and Security

This blog is a chapter of an unpublished book. I wrote this piece almost two years ago to highlight information security best practices and techniques that can help protect against online threat actors and stalkers. I spent several hours writing this piece with the help of others in the information security community. I wanted to express my everlasting gratitude for @magg_py (go follow her on Twitter). She provided one of the sock accounts and techniques, which will be described below.

Business processes may be impacted by threats like natural events, human error, and cyber-attacks. Threat actors are motivated to steal, alter, or destroy information for various reasons including financial gain, hacktivism, and cyber warfare. To reduce risk to an acceptable level, organizations develop information security policies and implement security controls. International companies, governments, and financial institutions are not the only entities threatened by the abuse of technology for nefarious purposes.

Social media networks have created platforms for people to communicate and share their experiences and ideas on the Internet. People around the world can share content with family, friends, co-workers, colleagues, peers, and acquaintances every day. This information can be used to solve problems, develop solutions, and create awareness. It can also be used by online predators to perpetuate online harassment, psychological abuse, real-life stalking, and even physical violence.

Individuals are frequently the targets of online stalking and harassment. Online predators leverage social media platforms to gain access to their targets, trivialize their target’s experiences and engage in disinformation campaigns. The importance of developing personal guidelines and best practices to detect and identify online predators cannot be understated. The bad news is that online predators are everywhere: Facebook, Twitter, Instagram, Tik Tok, Reddit, and other social media platforms. The good news is that they can be detected and identified. I will refer to online predators as “attackers” throughout the remainder of this chapter.

When you register for an account on a social media platform, there are privacy settings that allow you to control who can interact with you and your posts. If you choose to set each of your profiles to Public, your attack surface—the number of points through which an attacker can enter your environment—is increased. If you choose to set each of your Profiles to Private (a mitigating control), your attack surface is reduced but a residual risk remains. Attackers can use sock accounts to send you a request to “follow” you or gain access to your social media profile and information.

Organizations use Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) with pre-defined signature databases to detect and identify attacks. Humans cannot rely on such technology to efficiently monitor and act upon all our incoming “traffic”. So, we must implement manual processes and procedures to detect and identify attackers. To detect and identify an attacker, you must be able to think like an attacker.

Sockpuppet, otherwise known as “sock”, accounts are fake online identities used to deceive others. Sock accounts play an instrumental role an achieving an attacker’s objective, whatever that may be. There are a few steps an attacker will take prior to registering for a new sock account, including: developing a pretext, creating a fake e-mail address, and getting a burner telephone number.

Attackers use pretexts to present themselves as someone that they are not to obtain personal or private information. Pretexting is the creation of an identity to manipulate the receipt of information from a target. Attackers thoroughly research their targets during the reconnaissance phase to create pretexts that make the sock account’s character appear trustworthy and credible. For example, an attacker targeting women that work in a specific industry sector will use a pretext of a woman entering or transitioning into that industry to appear as a vulnerable and approachable ally. The attacker will engage in low-level activity with the target’s posts and/or followers to gain acceptance and trust.

Sock accounts with pictures of real people or stock photos are more likely to be identified and blocked by an attacker’s targets. A quick reverse image search will crawl the Internet for websites containing the photo and return the results. Experienced attackers use fake pictures to decrease the likelihood of being tied back to their sock accounts. Artificial intelligence systems have been developed that can generate realistic-looking people. Websites like thispersondoesnotexist.com are frequently utilized for the purpose of creating sock accounts. The identification of an AI-generated photo is not always indicative of the nefarious utilization of a sock account. However, using a fake photo is one of the tactics an attacker will employ in the creation of a sock account.

There are a few techniques that can be used to identify AI-generated photos. Close-up pictures may be an indicator of a sock account. Zoom into the suspicious picture to analyze facial features, background details, and asymmetry. Pay close attention to teeth. Teeth will be oddly shaped or asymmetrical. The neural networks used to render photographs primarily focus on the face. Keep an eye out on strange-looking background details. Take a moment to analyze the eyeglasses, including the symmetry and style of the frame on each side. Especially, if the pair of glasses appears crooked.

A screenshot of a sock account.
The display picture is close-up, an indicator of an AI-generated photo.
There is a strange object in the background of the picture, another indicator of an AI-generated photo.

Attackers will also hide in plain sight using their main accounts. In the previous scenario, an attacker created a sock account. In the next scenario the attacker will utilize their main account. There are many reasons why people might seek assistance, help, or guidance on social media. Students inquire about career paths and requirements. Industry veterans share their experiences with newcomers and peers alike. Attackers prey on their targets. An attacker will claim or appear to be an “expert” to their targets, offering mentorship or career advice. Attackers will engage in conversation to manipulate and deceive their targets.

The capability, intent, and opportunities of individual attackers varies. Therefore, the amount of engagement between an attacker and their target will greatly depend on the attacker’s objectives. Attackers may use passive techniques, such as aggregating various pieces of information to achieve their goals or desired outcome without directly engaging with their target. In other circumstances, an attacker may use active techniques, such as directly engaging their targets on social media by interacting with posts or via direct messages. After performing reconnaissance, an attacker may engage their target in a conversation about posted interests and hobbies to create a rapport, establish a relationship and build trust.

Fake e-mail addresses are created so the sock account cannot be easily tied back to its owner’s identity. Applications like MySudo are used to manage multiple e-mail addresses and phone numbers for online identities. Many social media platforms require the use of two-factor authentication. Attackers will create burner telephone numbers to register and verify their sock accounts. Burner, or fake, telephone numbers are used for the same reason why attackers create fake e-mail addresses, to increase the difficulty of tying a sock account to its owner.

Sock accounts are used by attackers for various purposes, including reconnaissance and intelligence gathering. Attackers will follow and sometimes engage with their targets seeking information including e-mail addresses, telephone numbers, employer information, established relationships, group memberships, travel dates, and locations.

Attackers use sock accounts to integrate into their target’s community and spread disinformation. An attacker will follow and engage with a target’s followers and friends using sock accounts. The attacker will also disseminate information that supports their point of view. For example, an attacker will comment on a target’s follower’s post using a sock account to evoke feelings of doubt or uncertainty about reporting harassment. If you suspect an attacker is using a sock account to spread disinformation that encourages abusive or illegal behavior, monitor the sock account to assess the attacker’s techniques. Timestamped screenshots of sock account activity can be useful to identify its owner.

Twitter’s rules and polices prohibit the use of misleading others on Twitter by operating fake accounts. Policies may deter attackers from using sock accounts, but they cannot be considered preventive controls. If you suspect you are being targeted, having the ability to identify sock accounts will help you protect both your privacy and safety.

Sometimes sock accounts are clearly distinguishable from a legitimate user’s account or profile. A few key indicators of a sock account include the account creation date and/or a lack of engagement. Recently created accounts are usually indicators of sock accounts. A lack of activity or engagement, including “liking”, retweeting, or commenting on content, may be another indicator of a sock account.

Language similarities between an attacker and a suspected sock account may also be an indicator. Advanced attackers are more calculated and methodical, so it is imperative to know your threat model. Attackers with little to no OPSEC consideration will have an increased likelihood of being detected and identified.

The screenshot on the above appears to be an apologetic tweet including a letter.
The apology letter above, states “I am also working on reading several books recommended by [these] friends to better understand the threat models that women face.”
The screenshot above appears to be a tweet from a woman working in the information security industry (InfosecSlut). The InfosecSlut account states “my threat model isn’t your threat model.” The attacker references better understanding “the threat models that women face.”

Attackers will attempt to legitimize their sock accounts by engaging in low-level activity, including retweeting, or posting comments to fit the sock’s pretext. An attacker will use the sock account to create a rapport with the target’s followers and friends. The screenshot above shows the use of the InfosecSlut account to influence and discourage women from calling the police in threatening situations. An attacker will also enlist complicit friends to legitimize their sock accounts. Sock accounts are legitimized through “Follow Friday” tweets, retweets, and interactions that support the sock account’s narrative.

If you suspect you are being targeted, the identification and assessment of an attacker and their personal relationships through their real account is imperative. Who does the attacker frequently interact with? What groups does the attacker belong to or associate with? What are the attacker’s ideologies? This information can help you build a profile of the attacker and their network, as well as reveal possible skills and motives.

The techniques discussed next can be employed to exploit an attacker’s vulnerabilities, ultimately leading to the successful identification of the sock account owner. These techniques can be used on the social media platform Twitter. The “Find by email or phone” feature can be used to search for user accounts. If you have a suspected attacker’s mobile phone number and/or e-mail address, they can be added to your Contact book. After the phone number and/or e-mail address has been added to your Contacts, your Contacts can be synchronized to Twitter. This technique allows you to identify all Twitter user accounts associated with the e-mail addresses and phone number.

The second technique relies more upon luck, but it is nonetheless effective. Twitter allows its users to manage multiple accounts. More importantly, this means that attackers manage their main account and sock account using the same device. If you have a suspected attacker’s Twitter account handle, you can follow them and turn on notifications that will alert you each time the attacker tweets.

Attackers are humans and humans are fallible. Sometimes attackers may post content to their sock account that was meant to be posted to their main account. Attackers will act swiftly to remove this content. If you have notifications enabled for the suspected sock account, you can quickly capture a screenshot of the tweet and search Twitter for its content. Thus, enabling the identification of the attacker’s main account and real identity.

The screenshot above shows that notifications are enabled for the sock account HackerHikes.
A notification banner for a HackerHikes’ tweet.
The results of a Twitter search, including the Twitter handle of a main account, for the deleted tweet’s content.

Attackers use Virtual Private Networks (VPNs) to obscure their Internet Protocol (IP) address. IP addresses are used to identify the devices on a network. You can potentially locate an attacker if they are not using a VPN. If the attacker has directly contacted you via electronic communications, such as e-mail or direct message, you can send them a shortened Grabify link to capture their IP address. If the attacker clicks on the link and is not using a VPN, their IP address, ISP provider, and approximate location will be logged. Remember, this technique will not work if the attacker is using a VPN.

It is indeed tempting to post information on social media platforms. People post information about their location, cars, pets, employer, and travel plans. Sharing information or opinions might seem trivial if it is being communicated to a close friend or family member, but oversharing information with the wrong people has consequences. Attackers do not need to hack into companies’ systems to access data that is being willingly provided. You may be inadvertently helping an attacker by providing a wealth of information online. If you would like to know what information about you is available on the Internet, you can follow the Open Source Intelligence (OSINT) framework which is publicly accessible online.

It is especially important to use unique, strong, and complex passwords with multi-factor authentication if you suspect you are the target of an attacker. Weak or re-used passwords increases your risk of an attacker gaining unauthorized access to your accounts.  Less-tech savvy attackers will use manual procedures like password-guessing based on known information (i.e. pet’s or children’s names, birthdates, spouses, etc.). Advanced attackers will use automated procedures like password spraying or credential stuffing. Password spraying involves brute-forcing passwords for multiple accounts using a single, common password like password123. This technique increases the likelihood that an attacker will go undetected by avoiding frequent account lockouts. Credential stuffing is facilitated through the recycling of passwords. Attackers will attempt to use compromised credentials from one application to gain access to another application.

If you are the target of an online predator engaging in harassment or stalking within proximity, you can file a complaint with your local police department as applicable. If you personally know the attacker’s name, address, and/or e-mail address, your attorney can write a letter requesting no further contact. Some attorneys will provide this service pro bono. The letter should provide clear and specific methods of contact that will be considered harassment. For example, “You are to cease all attempts to contact me by any means, including but not limited to calls, text messages, e-mail, social media platforms, and any other written forms of electronic communication.” The letter should also state that appropriate legal action will be taken in the event of any further contact attempts.

Collect and document all evidence that can be used to support your case, including any timestamped screenshots, texts, and e-mails. Create a timeline of events including initial communication, written letters and/or emails to the attacker, and any subsequent communication attempts. The collected evidence and timeline can be used to seek a protective order in your state. Be sure to thoroughly research your local and state laws, as protective orders are granted under various circumstances from state to state.

Technical solutions can be implemented to hinder an attacker’s ability to perform reconnaissance, thus protecting your privacy and safety. Consider using a Virtual Private Network (VPN), like Mullvad, to prevent network traffic interception. VPNs encrypt Internet traffic transmitted to and from your laptop, computer, or mobile device. This means that an attacker cannot intercept your network traffic, which increases your privacy and security.

To setup your VPN, visit www.mullvad.net and click “Generate account”.
You will be redirected to a webpage with your new account number.
After documenting your account number, you can either subscribe or make a one-time payment.
Download and install Mullvad VPN.
Log in with your account number to start using the VPN.

Encrypted e-mail platforms, like ProtonMail, can be used to send and receive secure communications. Also consider using The Onion Router (Tor) to encrypt your Internet traffic. Tor routes encrypted traffic through multiple servers to increase anonymity and privacy.

Networking devices should be hardened to reduce the risk of an attacker gaining unauthorized access to your home network. The vendor default usernames and passwords that come pre-configured on wireless routers should be changed, as they can be easily discovered through a quick Google search of the make/model. Attackers will sniff or capture and analyze wireless traffic that is unencrypted. You should configure your router to use WiFi Protected Access 2 Pre-Shared Key Advanced Encryption Standard (WPA2 PSK [AES]) because both Wired Equivalent Privacy (WEP) and WPA are considered vulnerable to wireless attacks.

One of the reasons organizations implement information security policies and controls is to prevent, detect, and respond to incidents. However, as the threat landscape evolves, risk must be periodically reassessed to ensure information security controls are effective. Online predators will undoubtedly continue to lurk among the populations on social media platforms. It is vital that individuals adopt a similar approach by creating their own information security program to proactively identify and treat such risks.

Show Comments