Unmasking the Illusion: Exposing the Deceptive Web of Sock Puppet Social Media Accounts

5Gmb...M2Ub
23 Jun 2023
117

The infamous Cambridge Analytica scandal exposed the power of data-driven sock puppetry.

There is no disputing that social media has become an integral part of our lives, help to shape public discourse and influencing opinions. However within the depths of these platforms, things aren’t always as they seem. Sometimes some of the most vocal voices on particular issues may not be within country or in many cases may not even be human! In this blog post, we’ll look into the world of sock puppetry, exploring its motivations, techniques, then touch on some real-life examples, and the consequences it poses to our digital landscape. We’ll also discuss detection methods and offer some tips to protect ourselves from falling prey to sock puppet accounts.

What is the Motivation:
While an individual or organisations motivation is best analysed on a case by case basis, generally speaking sock puppet accounts serve as tools for manipulation and deception, employed by various individuals and organizations. Political campaigns, corporate entities, nation states and even individuals harness the power of sock puppetry to spread propaganda, control narratives, and shape public opinion. The Internet Research Agency (IRA), a Russian organization, operated a network of sock puppet accounts on various social media platforms during the 2016 United States presidential election. These accounts aimed to sow discord and manipulate public opinion. The case highlighted the extent to which sock puppet accounts can be used for political propaganda and influence campaigns.
Sometimes we’ll also see sock puppets used in a PR capacity by corporations. While this can also often revolve around shaping opinions in regards to a specific event or occurrence there is also increasing use to subtly shape and create an image or profile, using 3rd party accounts and “independent” people to provide favorable reviews, publicity or feedback.
However like anything we see in the world, these tools can also be used for good, with Journalists, Open Source Analysts and Investigators all leveraging sock puppets accounts in various ways. In these case’s though rather than shaping the narrative, these accounts allow online investigators and cyber sleuths the ability to work close to an investigative target while maintaining a form of cover. As such we’ll see these accounts in the midst of the action, covertly collecting intelligence and data on current events, elections and other general public insights. While a good sock puppet account can be difficult to detect, in many cases there is often similarities we can use to analyse the legitimacy of an individual, account or company should we need to. We’ll delve deeper into the use and suitability of these tools in a future blog post.

Real Life Examples:
We won’t be assessing these for legitimacy as many others have already. However if we are to search for known uses of Sock Puppets in various situations, we don’t have to look too far to find some well known examples within the real world.

The “Other” IRA
Known as the Internet Research Agency (Russian: Агентство интернет-исследований), the IRA is a State Sponsored, Russia based group with a long history of manipulating social media for various purposes. Formed in 2013 by Wagner Group founder Yevgenny Prigozhin and operating out of St Petersburg, the IRA is also known as “The Troll Factory” due to it’s history of attempting to shape the online narrative using propaganda and bots. With over 1000 workers documented in 2015, the IRA is best known for it’s attempts at electoral interference in the 2016 United States election. While electoral interference in any country can be a controversial topic, it’s worth noting that in 2018, 13 members of the group and 3 Russian Companies including the IRA were indicted in the United States in regard to electoral interference. The IRA has a detailed Wikipedia entry here
55 Savushkina Street St Petersburg. Just one of the many offices of the Internet Research Agency. Source: Wikipedia

The United Kingdom’s GHCQ
Originally designed to protect and defend the UK from cyber attacks and events GHCQ came under fire in 2014 when it was revealed to have attacked hacktivists and targeted political dissidents with it’s online activities,via a little known group called the Joint Threat Research Intelligence Group.
Coming to light during the Snowden leaks, the group attracted controversy when it was revealed that it used a DDOS attack called “Rolling Thunder”to target communications between hacktivists with communications between political targets also targeted at various points.
While offensive cyber techniques are historically known to occur between countries, these attacks were controversial due to the fact that teenagers were involved and the free speech of people was impinged upon without any crimes, charges or hearings being conducted.
However it’s not just Denial of Service attacks that are used, with leaked information showing that Social Engineering and Disinformation operations are also within scope.
Originally reported on by The Intercept, there is some fantastic pieces written about this group which you can find here.
Leaked information from the JTRIG playbook. Source: The Intercept

Operation Earnest Voice:
Run by the United States as part of the War On Terror, Operation Earnest Voice came to life in 2011 and was designed to give US Central Command (CENTCOM) the ability to conduct social media operations within the middle east.
First used in Iraq, EV spread to other areas within the middle east as well, eventually being used within Afghanistan and Pakistan in the program’s later years.
Using technology to leverage social media manipulation in non english languages, Operation Earnest Voice was designed to spread favorable publicity and propaganda within the middle east, targeting users in their natural language. It was able to do this by leveraging a software package to provide language services, virtual machines, private servers and more importantly ways to obfuscate IP Addresses and associations. This meant that users of the package had a large suite of tools at their disposal to provide natural looking social media profiles and social media engagement that was tailored to the user around geographic, lingual and culutral perspectives meaning they were more effective in delivering their viewpoint. If you’d like to read more about the operation, there is a relevant link here.

Operating Techniques:
The creation and operation of sock puppet accounts involve various techniques and strategies that are similar to those of a Catfish. Fake identities, fabricated profile pictures, and carefully crafted biographies help these accounts appear genuine allowing the account holders to shape their profile according to their target group This increases the chances of engagement by the profile along with accompanying legitimacy assisting in making it look like a genuine account.
The sock puppet operators may also employ automation tools, paid followers, and other coordinated efforts to enhance credibility and manipulate online conversations and communities.
The development of natural language learning models also means that sock puppet account’s can also be given a voice directly, using Artificial Intelligence to create engagement and communicate with users with less intervention by the operators. We should expect to see far more of this into the future.
If you’d like an example of a once operational and well designed cover then you’re in luck because we’d like to introduce you to Mia Ash.
Mia is a sock puppet account linked to the Iranian government that reached fame around 2016, using a well engineered profile to target people of interest by the Iranian government via LinkedIn. While Mia used a stolen picture, her photography credentials and supposed network along with alleged study within the United Kingdom gave her credibility.
This operation was unique in the sense that it used two well crafted approach vectors to ensure success, with targets originally being targeted via email using well crafted phishing links to give backdoor access to the target machine.
If this vector was unsuccessful then personalized social engineering was then conducted, with chats and correspondence being used to give legitimacy and built a rapport before again attempting a targeted attack incorporating malware.
Will the real Musk please stand up? Source: Twitter

Detection and Mitigation
Detecting sock puppet accounts is no small task. However researchers and social media platforms have been working to develop sophisticated algorithms and techniques. Network analysis, behavior analysis, and machine learning algorithms are increasingly being employed to uncover these deceptive accounts before they are able to take hold and spread their message.
Many Social Media platforms are also taking measures to combat sock puppetry by implementing stricter policies, removing fraudulent accounts, and promoting transparency. However other platforms have given up entirely, with reduction in moderation tools, moderators and other tools to assist in the fight. This means if you’re a social media user that understanding your platform of choice becomes important if you wish to minimize contact with these types of accounts. Some platforms have taken significant steps to prevent disinformation. Some tried then just removed the tools. And some simply never bothered to try at all. We’re looking at you Telegram.
The battle against sock puppetry will remain an ongoing challenge, as sock puppet operators continually adapt their techniques to evade detection and use new tools to spread their messages. It’s important for us as end users to attempt to identify these accounts, as they prevent the genuine engagement of opposing views by seeking to cause division within our societies. And we’ll be covering more of this in future articles by looking at ways and means to identify sock puppeting in the wild.
Twitter Blue gave bots new credibility. It may be parody but the blue tick remains. Source: Twitter

If you liked this story, we’d encourage to you to subscribe for more just like it.
If you’d like crypto for reading our content, you should join publish0x
If you’d like to join the murky world of disinformation on telegram then you should also join our blog channel.
And don’t forget you can now find us on twitter

Join our Crypto focused Telegram Channel!

Telegram

Enjoy this blog? Subscribe to Investigator515

12 Comments