How to Build Authentic Sock Puppets with Yard Sale Junk

[Music]

Hey everybody. Uh my name is Tim Papa. Um, so I'm a former supervisory special agent with the Federal Bureau of Investigation and I was also a former profiler with the FBI's behavioral analysis unit. Now I work at Walmart. I'm actually colleagues with KR in security operations. I'm on the cyber deception operations team and my focus there is cyber deception strategy, content creation and marketing. What I want to share with you today is how you can make your sock puppets or your fake online personas more authentic and do it on the cheap. Right? This is if you don't have aged accounts, you're not persona farming, but to do it quickly and make it appear authentic. So, I'm

going to share a little bit about my background and really talk about what makes someone appear authentic online because I want to give you the foundation behaviorally of why people perceive people to be authentic or not online. And then, how do you use content and specifically objects? Because I'm talking about things you find at yard sales to influence someone's evaluation. I'm going to walk you through the process of going to two yard sales to show you how easy this is to do and how much you can boost the content you put out with your sock puppets to make them more authentic. So, I'm going to demonstrate that briefly and then have discussion. So, background um at Walmart, this is

one of my main areas that I focus on. So, I created a framework where you conceptually design sock puppets, but it's behaviorally based and it's like a living guide, right? So you go back to it at any point and I'm trying to explore what's their worldview, what happened in their life, how do they feel about different things. It's all fabricated. But the whole point is it's a different kind of process of simulation, right? You're thinking through who is this person. So when you are thinking about the content you create and what you post online and what you follow and what you say, you actually have a guide you can keep going back to instead of just making it up on

the spot that's six months down the road. So, I run sock puppet operations for Walmart for the cyber deception team. I mentioned I was a former FBI profiler. This is kind of what I would focus on as well in the behavioral analysis unit, but it was much more focused on design. I designed sock puppets and then agents would use them in operations. Uh, in the FBI as well, I would also run workshops with the intelligence community on creating assessments. And these would be assessments for trying to detect is this sock puppet someone's using fake or not. And of course you can reverse that, right? Because if you understand what makes a sock puppet appear authentic or not authentic, it

really helps you design an authentic sock puppet. And then I've I've published and presented a few times on content evaluation and sock puppets. So you're going to see a lot of references here to research literature. You can follow up on that. I'm going to share these slides online. I just want to briefly kind of talk through what the foundation is so you understand. Okay. So, if you go back to the '9s, people used to think without any kind of images or content, you can't be very persuasive online. It's just based on what you write, it's textually based. A lot of people thought that. And so, they would do studies to confirm that. Over time, though, they started to

see that's not necessarily the case. And what was missing with some of those studies was they just weren't doing it long enough. And so if some of you remember AOL Messenger, like having AOL girlfriends and boyfriends, that's what's behind this. You maybe we were embarrassed back then about it, but it makes sense. People actually become closer or they can become closer online than offline. And the reason for that is you think about people in your life that you know pretty well. Relationships start to plateau after a while. Online, it's a little bit different. you don't really know who they are and so people naturally ask a lot more questions and they tend to disclose things because

they're hoping whoever they're talking to will do the same thing. There's a lot of theories related to that, but it's all tied to reducing uncertainty and ambiguity because that makes people uncomfortable. So, as they did these studies longer, they found people actually got closer, which is great news. If you're in an anonymized environment, you can become very close with people. You can build trusting relationships online and you can do that with sock puppets online even if they have no idea who you are. Right? So the academic background of this too is called computer mediated communication. If you look in academic publications that's what they'll call it. But what they found is something they called you

kind of have hyperpersonal impressions of people and that just means you don't really know them but the things you know about them you tend to like it more. It's kind of magnified. It's not really who they actually are, but just what you know about them. That's the restricted media. And again, it's another example how online you can get very close to people. Even if you think it's a place of distrust, you can get very close to them. And what I mentioned before about reducing ambiguity and uncertainty, this is what's going on. I mean, you can even find it physiologically, too. When people disclose something vulnerable to you, it tends to cause a dopamine release in the other person and they

like you. That's just what happens with a lot of people physiologically, right? This happens online, too. I've seen it again and again. We've used it. There's studies that show this as well. So, when you make efforts to disclose things that are kind of vulnerable, whether it's true or not, other people tend to like you more and they tend to trust you more. That's just how that works. So, what about when you bring content and objects into this as well? Now, warranting theory is a great theory to look at. You don't even have to be trained in it. Warranting theory really just explains how people when you're looking at stuff online, how you evaluate content in terms of how likely

is it someone's manipulated this, you do this when you look at stuff on say eBay and you look at the picture and the quality of the picture. And if someone's uh selling a a package of golf balls and it looks like a stock photo, people tend to trust that a little bit less because they wonder, "Am I going to get scammed? Is this real? Am I actually going to get it?" They've found in studies of this uh pictures of a package of golf balls on an old basement rug did way better. There are more bids and more purchases. That's warranting theory because people look at that and they make an evaluation, right? I don't think this is

being manipulated. I actually think I'm going to get this. Another example would be something like you're going to go on a blind date with someone, but you still really want to know what they look like. Your two sources of information may be a photo online or in a newspaper from 6 months ago and the photo from their best friend. You're probably going to evaluate the photo from the best friend is highly manipulated. They're going to make sure they provide the best photo possible, but the photo online or on the newspaper, they don't really have much control over that. So, a lot of people would say, "I don't think this is being manipulated." They tend to trust it

more. You also see it in online reviews on products and companies when there's negative reviews. People tend to trust that more because like the company's not trying to control it. It must be genuine. So, that's what's actually going on. And people can manipulate this. I would manipulate this all the time in these operations and I still do. That's how it works. Um this goes without saying affect and emotions it influences everything we do how we judge things how we are feeling at that time it does impact actually those engagements and so if you're looking for an opportunity with a sock puppet where you really want to appear authentic you should definitely bring a effect and

emotion into it effect isn't usually something you can really grasp just something you feel people it could be but if you have an emotion you've labeled it you've interpreted some kind of event. So, it drives people in different ways, but you can't remove it. So, the purpose of this is to take objects and content and induce emotion and affect into people you're interacting with so that they scrutinize you less so they like you more and they trust you more. That's kind of how you see how this is starting to come together and integrate. Nostalgia, of course, is also very powerful. And this is the connection to things we get at yard sales. We typically see these

objects and they have nostalgic value to it which also induces emotions. Some of the research on media richness backs this up as well. What I mean by that when I say like rich media, I'm talking about photos, videos, links to YouTube videos, shorts, memes, whatever it might be. If you think about your rural relationships in your life, friends and family, you do that, right? You share funny stuff. You share stuff that makes you angry. That's rich media and it is the best way to start relationships online and maintain relationships online. That's why the content you share with somebody is so important to making you appear to be authentic to them. Now, also objects, there's there's

a very vast literature on what objects mean to us. And some of the some of the terms for that out there are psychological ownership, which is kind of how we see ourselves in objects. There's been research by Belulk back in the 80s where they started to look at how as people aged, they assign more value to the objects they possessed. That seems like a natural thing to us now, but if you look at it a little bit deeper, people are purchasing objects and they want to possess objects that represent something about themselves. So, they want people to think that about them. It's kind of like I'm sure you've heard the example of people purchasing Apple products. They think Apple

represents something innovative and they want to be seen as innovative. that's why they want Apple products. And it can go conversely too like when you don't own something or possess something, it's purposeful even if you can't afford it because you want to say that's not me. That's I'm not that kind of person. And egocentric categorization is another theory. And that's saying the objects we have can actually influence how we live our life and it can change us. I only bring that up lightly to say this is tied to objects in yard cells, right? because you're presenting an image of your sock puppet as a real person saying these objects mean something to me. And even if you don't go into this

literature, you you understand that innately it's just human to another human. So how do you find this kind of stuff? Well, it's pretty easy to find yard sales. You can go to yard sales.net and it's all over the United States. It's that simple. I'm going to show you from two yard sales how I found these objects. What's great about it though is you're you're going to find generational items at yard sales because people are having yard sales for a lot of reasons. They're moving. There's an estate sale. Somebody passed away. There's going to be decades worth of objects and that has immense rich value terms of nostalgia, emotions and a effect and storylines and it's right there, right? And we're

talking about cheap stuff that you can buy, right? Think about the demographic of the yard sales you visit, too. Like theoretically, if I wanted to create a sock puppet that appeared to have been from Lebanon, I would probably want to be in Florida because we know there's a large population of Lebanese communities there that immigrated there 20 years ago. So, the things they have in their home, they wouldn't have it if they hadn't come from Lebanon. That is impossible to recreate and very difficult to do that if you're trying to do that with Genai. But you could just go to the yard sales, too, and get this stuff. Nobody's really doing this and it's right there for the taking. You

don't even have to buy anything. So, in the example I have here, I purchased some of the things, but you don't have to. You can take pictures right there. You can edit pictures however you want, right? But you have the objects right there. It is a little weird when yard sale owners see me like taking pictures of things. They're probably wondering what I'm doing, but nothing that unusual about it. Um, another thing, too, is talking to a yard sale owner. You can use them to help you shape your deceptive storyline. Even if you're just asking, "What's this thing from? Tell me about that." Because you're going to need that, right? If you're creating content and a storyline that has unusual

facts and strange references and funny things that happened, uh, that's actually how you detect if there's deception or not. You're looking for unusual things like that. So, the fact that you purposely include them in your storyline makes it even more authentic. And you don't have to come up with it, right? You don't even have to use Gen AI. You can talk to someone who really lived it to give you all the details whether they know your purpose or not. And this is an example from yardsales.net back in October when I'm kind of perusing like what do they have? Okay, it's that simple, right? Or stuff like this. I got pretty excited about this because he was saying, "Hey, we

retired from the foreign service and we're moving. Oh, they're going to have great stuff there for sure. I could use it in so many different ways and it's just a friendly visit in a neighborhood, right? And there's so many every weekend." And then there's weird stuff, too. I don't know why someone's selling tampons, but somebody was. So, you don't know what you're going to get there. There's all kinds of weird stuff. Um, okay. So, I'm going to give you some examples of stuff I found from yard sales and how you can kind of theorize or conceptualize storylines for your sock puppets. Okay? Say an old baseball glove. That could be all kinds of things. Right? Now, not everything has

to be heavy, but I could give an example of like uh my sock puppet. Uh maybe it was me like I used to play baseball and I really loved baseball and uh I still remember my last game. I also remember that day my family was in a car accident, right? And I and I lost my sister. I'm making that up. I'm even feeling emotional telling you about that. Can you imagine reading that and seeing this picture? It's powerful. Or something like this. It doesn't have to be heavy. Um, I know if I just post this, I see people nodding back there. And I just say, "You know this, right? Anyone who responds to that, I probably already know you also

were a pre-teen in the 1990s and you played with these things cuz that was me. That's all I got to do." And the thing about this, keep in mind these kind of topics and content, uh, they're not threatening the people. If you're a sock puppet who has some intention of like, I want to find out something from somebody. I want to get access. That's super suspicious to people. But when you start this way, people don't feel threatened. They want to engage with you. They want to talk to you about it. They want to share with you. They think it's funny. Whatever. This is the way in. It's this simple. Um or something like this, an old jigsaw puzzle from the

$6 million man. I got to admit, I had never even seen this show until recently. And I think I think I've already figured it out. They anytime he's doing something bionic, they just put it in slow motion and that seemed okay. That's what I thought it was. Okay. And then I I love I love bins like this. Oh, I love bins like this cuz who knows what's in there. And people have handwriting on these cassettes. There's just so many stories potentially in here. And these are hard to find. Where else are you going to find this stuff now? Maybe if it's on iTunes, it's going to be hard to find. So, you want to have

old media like this because you can use it in so many different ways. Um, so this is just a light demonstration and if you can't read it, it's fine. I'll just tell you what it says. I was just messing around LinkedIn posting something like this where I haven't obviously gone into um the actual name and background and what they do the sock puppet but um I took a picture of this radio director I found and someone had handwriting on there in terms of the frequency codes for like Fairfax police or Hearnden police, Fairfax Rescue. I just made up a story about being at my parents house and f looking through old boxes and saying, "Oh, my grandfather

used to do this. I never even knew this about him. It's kind of crazy. I wonder what kind of stories he heard." And I wonder if he went there. And then I suddenly pivot to it. It also like really makes me pause because I I regret the time I didn't spend getting to know him better and he's gone. There's a lot There's a lot in that one post and a lot of people can respond to it in different ways. I've left it kind of open-ended to see if you're gonna engage with me or not, right? And now you already have a sense of the kind of person I am. What if I was trying to connect with another

person online who also had a similar experience? That's how you show people you like them without saying I'm just like you. You post it and you share it in similar spaces or at some point you post this, they're going to see it and be like there's a connection there. That's how you do that kind of influence. Here's another example. I saw this book at a yard sale and they gave it to me for free. And I actually I hate this book because I've I've looked through recipes and it's I don't find it useful, but I just made up stuff about like, oh, so good seeing this. I found this thing. I remember growing up as a

kid with this. I just made up Mama Bears Meatloaf, whatever. I mean, obviously I could go to the pages and reference stuff, but there's probably, I don't know, tens of thousands of other people in the United States who also grew up with this book or something similar. And now I've made a potential connection and it's just with one post and people start looking past why you haven't been on that platform for as long as maybe you should have. As long as you have a storyline that comports and I always try to do that. I'm not I always am starting sock puppets from scratch. I I'm not persona farming or anything like that and this is still effective. And then

finally, when you actually purchase objects, you can do all kinds of things with it. Like I have used this before and just shown people in immediately even with a spectrum of generationally there are people who remember growing up with this, right? Or even new events. I think they it was in the news recently like there's lead in this or something so you can't drink from it. but it's a reason to post it and people might really respond to that. Or people who are much younger than me might be like, "That's interesting. Haven't seen that before." They might think it's a collector's item. There's so much. I think this cost me $1. Like there's so much you can do with it. If I didn't

have this, I'd really struggle, right, with like what I post and who I follow and doing a little bit of Geni. It's kind of a weak approach and it doesn't get you a lot of traction. And thread actors can see past that stuff. People with warranting theory, they don't even have to be trained in it. They know if something doesn't feel authentic. This is hard not to feel authentic, right? So, finally, in terms of discussion, um it's really going to give your sock puppet depth because that's where authenticity comes from. Vulnerability, affect, and emotions, and content like this. This feels like a real person. Think of it this way. If you were on the Zoom call and people had

their cameras off and you don't know me, you don't know anything about me and suddenly I turn on the mic and you hear a dog barking and kids running around. Just from that I have more depth now. You're like, I know something about him and there's something real about him. That's all it takes. That's what you're doing with this. And you notice a lot of the pictures have my my hand in there on purpose cuz that's really hard to create with Genai without extra fingers or people want to hide things that are being suspicious online. They want to hide and be quiet. This is saying embrace it. Don't be afraid to be loud about posting about things you care

about that aren't threatening the people. That's the whole point. Um, again, the content that has affect and emotional value in it, it can really prompt a lot of responses, including from thread actors. They're people, too. They also need a fig leaf to talk to you. Something that gives them some level of comfort that you're not up to something or that you're not suspicious. This gives them a fig leaf to talk to you cuz they know too if they reach out to you right away and they're talking about something with like some servers you're working on, it's going to be odd, right? and anyone who's working security operations too, that would be a no-go. So, how do you make sock puppets that

appear to be working in infosc appear approachable? This is one way to do it. Um, I think I've I've mentioned this before, but in terms of like overcoming these challenges, that's all I've ever known. Even back to the FBI, we always were extremely restricted. Same with DoD. Can't show faces. You can't purchase certain domains. You can't do this. You can't do that. So it was always starting from scratch. I call it like poor man's persona because you had nothing to go with. This method works because I've used it again and again. People look past things that seem could seem odd and they're just not scrutinizing you as much because you made this kind of connection. It it

really projects the storyline of your sock puppet to move beyond just textual posting and kind of staying quiet. This is an approach that is very effective and again very simple to do. Um that's all I have for my presentation. Are there any questions? Please like what kind of people create.

Oh sure. I mean generally speaking anyone who wants to do something anonymized or obuscated they're going to create an account and use that account for some purpose. So, sure. I mean, I guess you could say someone who just has an email account and like one social media platform, that could be a sock puppet. Maybe they're not engaging with anyone, right? There's definitely some a spectrum there in terms of do you actually engage with people or are you just kind of passive? I'd say in general, the sock puppets I create are deception artifacts. They're meant to be passive. They help tell a story. I'm not trying to go out and have long conversations with threat actors, but

obviously this is a chance for people to engage with people and talk to them without being scrutinized. Sock puppets can be used for all kinds of things. They can be malicious. They can send malware downrange. A sock puppet might just be a fake account on a platform that wants to send malware downrange. So, it's really just to anonymize or obuscate yourself online for a range of purposes. For me now, it's more about defensive cyber deception and use it to help promote a storyline so that threat actors might be uh interested in that and they might want to approach that person and they might want to engage, but generally speaking, that's what it's for. Yeah. Any other questions, please?

I'm really simple about it, right? I'll go off a VPN and then I'll I'll I'll go into like a private mode. That's it. And then I'll use other laptops. Sometimes I try to keep it as simple as possible. Um I don't go the route of like purchasing phones and do all I mean obviously certain platforms are getting very difficult and uh the last thing I need is to spend a lot of time on a sock puppet and then I get locked out. That has happened before. It's a terrible day when that happens because I've spent so much time on it. So, I try to pivot and that actually has been good because when I've been banned and kicked off of

certain platforms, it's led me to other platforms. For example, there's there's a platform that's more Europe based that's kind of like LinkedIn. I think it's pronounced crossing, but it says Shing, too. I never even heard of it, but it's been around for like two decades, I think, something like that. And, uh, all kinds of people on there. They can connect, they can chat, and I can search people by their skills and tools. So, it's like a it's good sometimes to move off of other platforms. It also pushes you to kind of explore other storylines for your sock puppet. Do I want to create another Caucasian infosc person? No. I want someone who is born in this country, who

immigrated here, this is happening with their family back over there. I want dynamic and complicated stories because complicated stories are very difficult for thread actors and security enterprises around the world to kind of sift through. They want simple storylines, but when it's complicated, it feels more like our own lives actually, which are complicated, right? So, I'm trying to replicate that, but I try to keep it as simple as possible because if I don't, the burden's too heavy, right? Trying to like constantly keep up the maintenance on all these different sock puppets. So, I think of them as deception artifacts that serve a purpose on particular campaigns and projects. That's how I try to manage it.

Thanks.

Oh, I just avoid it. If they ask for it, I don't want to use that platform. And that has still worked. It has still worked because you even have situations where a lot of thread actors um are less concerned and they don't have time to be looking through profiles in depth. So, like is one possibility, what if you just have skeleton accounts out there that are really focused on optimizing query results for certain skills, then maybe there's people using um that are just scraping or they're just very quickly looking for people who have those skill sets and they're not actually looking closely. Is this sock puppet a real person or not? That can be effective, too. But generally, I just

avoid it because it's the only way I can manage the burden of trying to handle all that stuff. Otherwise, I'd end up with like 10 phones, 10 lap. I can't do it. It's too much. Uh I think two is two more questions. Okay. Earlier you said you're not farming. What does that mean exactly? Uh it just means like um I'm I'm starting accounts now that maybe I'll use two years from now, but I let them live on those platforms so that if people come across them like, oh, they they opened an account two years ago. I don't do that. Again, it's not manageable for me. And I found I don't need to. What's the longest you've had a sock

puppet run for? And then how do you keep organized? I don't know if um how do I want to answer that? I'll just say there's been a spectrum of time and they've they've always served their purpose. There have been sock puppets where they were literally just made and they had a defined purpose of engaging. This is in the past a thread actor and none of that mattered because you're on a platform where it's like it didn't matter when you're on Discord or somewhere else using proton mount. It doesn't matter. So if that's the space of engagement, you can still be effective as long as you're focused on making your approach behaviorally based so they're responsive to it. Because a

lot of times you might really piss off someone. You might make them angry, but if you have content or something about them that they really want to know, they will click on things they shouldn't. They will talk to you even though they haven't gone into who are you really? I haven't seen you around here. People aren't always doing that. If you catch them at a time in their life when they're just not grounded, they're more vulnerable to that kind of stuff. I think that's it for questions. I'm around if you want to talk more. Thank you everybody. [Music]