Creating Research Accounts for OSINT Investigations

You want to do OSINT but need to create some research accounts, also known as sock puppets? Some platforms allow only limited viewable data unless you are logged in.

Choose the right platform

We all know the most popular platforms like Facebook, Instagram, LinkedIn and Twitter.
But sometimes you are investigating targets from other countries. In this case, use alexa.com/topsites/countries to identify what platforms different countries use for their main social media. For instance, in Russia they may use other social platforms in addition to Facebook.

Looking for which mobile platforms might be interesting? Check out Applyzer or AppAnnie to see which ones might be important in specific countries. Do keep in mind that if you’re selecting the category ‘Communication’ to find apps like WhatsApp, Signal or Telegram, you might overlook the popular gaming platforms which can also have a chat feature in the app.

What are you going to use the account for?

What is the purpose of the research account? Meaning, will it be used for passive or active open source research and collection? Understand the difference between passive and active research.

Passive means you do not engage with a target. Further, don’t assume you can just use any profile when you’re only doing passive research; don’t forget that Facebook has the feature “people you may know” (https://www.facebook.com/help/336320879782850, also know as ‘Friend suggestions’). Your profile might end up in these results so you might want to blend in a little. 

Active means you are engaging with a target in some fashion, i.e., adding the target as a Facebook friend.
For active research it’s a must to blend in with the group. If you want to read about other factors to consider when creating a profile check out our previous blog post about creating sock puppets here. Further, if you are engaging with a target you may want to create a couple of accounts on different platforms to make it look like you’re a real person . 

From a social engineering perspective, another question to ask yourself is what influences or motivates your target? If you want to blend in, make sure your profile is active in the same areas (groups, page likes) as your target.

Choosing a name

When you choose a name, you may want to use one of the following resources to generate a name or you can simply take use more than one resource to give you ideas.

Behindthename.com/random
Elfqrin.com/fakeid.php
Fakenamegenerator.com
Name-generator.org.uk
Randomuser.me
Randomwordgenerator.com/name.php

Remember to use a name that will blend in with the target group.

Creating an email address

Creating accounts is not easy and often it’s trial and error that wins the day. I have used mail.com to create several accounts without any issues. Sometimes creating a Gmail account on an iPad will allow you to bypass the phone number verification. If you cannot bypass the phone verification, your best option is to use a burner phone and purchase an anonymous SIM card to create accounts.

Do not use a previously created email address – start fresh and create a brand new email that has not been previously used.

Tips per platform

Facebook

Privacy settings
You can keep your profile private including the friends list, but keep in mind that over the years, there have been methods to find information of Facebook users who thought they’ve hid everything. (Interested in finding information on Facebook profiles? Click here!).

Verification code
Once you have an email address you should not need a phone number to verify, the verification code should be sent to the email address but again, if required use a burner phone and a newly purchased anonymous SIM card to get that phone verification. In some circumstances I have had success creating accounts by using the mobile version of Facebook. The verification code would be sent to the email address used to create the account.

You can also use the following link to create accounts using the Facebook mobile website: https://m.facebook.com.

Photos
Facebook is known to ask for photo identification when they want to confirm your profile name. This may seem obvious but if Facebook asks for photo identification, do not submit any photos or documents. This would be the time to create a new profile, perhaps from a different IP address.

If you need to upload a photo of yourself, make sure that if you use a website like thispersondoesnotexist.com, you alter the photo (change the colour, cut it, flip it, etc.). The reason why you should do that can be found in a blog by Nixintel here.

Friends
If you want your profile to have friends but you don’t want to create a whole set of friends for your profile; join some groups or pages on Facebook.

Some suggestions:
– Relationship/dating: join groups/pages where people try to find a partner.
– Expats: join groups/pages were people are looking for social contacts in a specific city
– Social games: join groups/pages where people play social games (of course your profile has to play too). In order to get further in the game, you’ll need friends to give you certain items like carrots in FarmVille.

Instagram

Privacy settings
You are able to make your profile private but keep in mind that anyone can still see the number of posts, followers, following etc., so they can estimate if you’re an active user or not.

Verification code
On Instagram.com you can create a profile by using an email address. Once you have created a profile, Instagram may want to confirm by sending a verification code and this is usually sent to the email address you used.
If required, use a burner phone and a newly purchased anonymous SIM card to get a phone verification code.

Followers/following
Although you can choose to buy your followers and following, you might want to consider playing by the rules 🙂
Search for people with the same interest (like traveling), add them and they might follow you too (due make sure your profile is attractive enough to be followed of course).

Keep in mind that following a private profile will send a notification to the owner that you started following him.

Twitter

Privacy settings
You are able to set your profile to private but anyone can still see the number of tweets, followers, and following. It is especially important for Twitter that anyone can see when an account was created, you cannot hide this information. This information appears in the Bio area of your Twitter account. Looking at the first tweet may also be helpful is knowing when an account was created, if there are too many tweets you can use https://www.allmytweets.net to get a page of all the tweets (max return of 3200).

Verification code
Once you have created a profile Twitter may want to confirm by sending a verification code and this is usually sent to the email address you used. If required, use a burner phone and a newly purchased anonymous SIM card to get that phone verification.

Followers/following
You can follow pretty much everyone on Twitter. Keep in mind that when following a private profile, that profile will get a notification that you started following him. Want to gain followers? Make your profile active with some regular tweets with hashtags so people will be interested to follow you.

LinkedIn

Privacy settings
You can make your profile private but if someone pays for the premium version of LinkedIn they may have full access to your profile.

Verification code
In most cases you will need a phone number to verify your account. Use a burner phone and SIM card for this.

Photos
I have used profile photos from thispersondoesnotexist.com and several of my accounts are still alive. But, if you want to make sure they won’t detect your profile, alter the photo!

Network
Want to have some connections on LinkedIn? Think about people who have many, maybe even random, connections. For example recruiters; it’s logical that they will add random people because they’ll need that network in their actual job.

Things to think about when being a puppeteer

Security/Privacy Settings
If you’re conducting passive research, you may want to keep the account completely locked down and have no need to leave the profile public.

If you’re doing active research, you must keep your account locked down until it appears to be that of a real person. Think about if there are enough Facebook friends, followers, activity on the profile, do you have a back story that fits well, before you ‘open’ your profile.

Profile pictures
You can use a generic profile photo like a landscape or something local to where you are want to appear from. Sometimes it is useful to use the Snipping Tool to grab stock images. Alternatively, go to thispersondoesnotexist.com and use one of the AI generated photos. I would use screenshot to retrieve the photo and alter the photo slightly. You can always test security check on your profile photo by doing a reverse image search. If you locate its origin use another image. Do not impersonate anyone, do not use someone else’s actual photo!

Passwords
Typically I like to have a bunch of research profiles I can rely on and have done this for years. It’s important to track and make note of accounts/passwords in a password manager like LastPass (https://www.lastpass.com).

Activity
When I create a new passive profile I post every week and act like a regular user as much as possible. The main idea is that you want to make Facebook believe you are real. You can do this by liking pages, posting something generic or checking into places. There are ways to automate your activity with, for example, IFTTT.com, but keep in mind that someone might notice this and might question your activity

Do not post offensive material that would violate the platform policies or the policies of your employer.

Important!

Always remember to follow your organization’s policies when it comes to passive versus active research, as active can be see working in the capacity of an undercover operation especially if you work for law enforcement.

Do not mix your personal and private accounts. I always keep these two separate to prevent cross contamination.

If you are using a VPN, keep in mind that social platforms get suspicious when new accounts sign up in Seattle but login later that week in New York, especially for brand new accounts. Legacy accounts (accounts that have existed for a while longer) can sometimes bypass this issue.