In reply to a comment left a couple of weeks ago by a reader under the Osint Me setup part 3 – tools for finding people article, I have decided to cover the topic of creating OSINT accounts on various social media platforms.
For all intents and purposes, these will be fake accounts and as such they will most certainly be scrutinised (and sometimes closed) by the platforms.
According to CBS News, Facebook stated it removed 3.2 billion fake accounts between April and September 2019. Additionally, Facebook estimates that about 5% of all user accounts on their platform are fake.
It is reasonable to expect that a similar percentage of fake accounts, or possibly even higher on other social media sites, exists across the board and encompasses a wide variety of users, from scammers, stalkers, privacy freaks, OSINT researchers to members of law enforcement or intelligence services agencies.
Accounts are monitored using a combination of algorithms and human judgement of persons hired to enforce compliance with the social media policies, so it’s important to take both of these factors into consideration.
1. Avoid VPN connections
VPNs are great for protecting user privacy and in fact, up to a couple of years ago, setting up social media accounts using a VPN connection worked perfectly fine.
This is no longer the case.
Nowadays, nearly all online content providers (the prime example is Netflix) identify and correlate IP address ranges that are known to be used for VPN services.
The result is either an immediate blacklist, where no connection to the platform is possible from an IP address associated with a VPN, or an alert raised by an algorithm which flags a newly created account as a higher risk and labels it potentially fraudulent / fake.
ADVICE: Do not use VPNs when creating OSINT accounts. Also, avoid creating those OSINT accounts (especially if they are to be used in law enforcement type of investigations down the line) from your home IP address. Instead, use a public network – it can be a hotel or bus WiFi, a coffee shop or an Internet cafe.
2. Use a dedicated (real!) mobile number
VOIP phone numbers provided at account registration are no longer as reliable as they used to be.
Likewise, creating an account without ANY phone number will make it short-lived. An increased number of searches conducted from this account will prompt a suspicious activity check and it will lock down the account until a real mobile number is provided.
ADVICE: Avoid using your own phone! In order to make your account appear like it is owned by a real person and not by a troll or a scammer, use a dedicated, pre-paid non-registered SIM, preferably operated out of a cheap smart phone that if need be can be reset to manufacturer’s default settings or completely disposed of.
If you want to put an additional degree of separation between you and your OSINT account, consider buying the SIM abroad.
3. Enable 2FA on the OSINT account
Two factor authentication is a security measure, but for our OSINT account it will perform a more important role.
Enabling 2FA will simply make it appear more real and more human. Real people frequently use 2FA for securing their accounts, so doing so in our case will score bonus points with the fake account detection algorithm.
The easiest way to do this is to use your dedicated mobile number for SMS based authentication. Normally this is not as secure as token or app authentication, but security is a secondary factor here.
In some cases you can successfully remove the phone number and 2FA a while after they have been implemented on the account.
4. Pick good photos for your profile
By “good” I mean photos that will convince any real person looking at your profile.
You want to prevent your profile from getting reported as a fake and investigated by the platform, but you also want to avoid alerting your target, who you must assume will at some point visit and look at your OSINT account.
In the recent Tricky Thursday post I recommended using the This Person Does Not Exist website to generate random face pics that can be used as the main face of your OSINT account.
You should definitely have more than one photo on your profile – because that is what most people do, they upload photos to social media. Some profiles are set to private so you actually can’t see all the photos, but their mere presence on the account improves its standing with the algorithm as well as the compliance people.
You can browse the web for personal photos visually resembling your AI generated mugshot. You can also be a little creative and change or edit the photos, or use group photos, photos of people wearing motorcycle helmets, ski masks, etc – whatever aligns with the hobbies you picked for your OSINT account.
ADVICE: Remember that every photo can be reverse-searched using Google or various online resources that compare images for similar variables.
Impersonating existing individuals is also NOT recommended, especially in cases when the results of your OSINT investigation are likely to be submitted for external review or legal disclosure.
5. Cultivate your OSINT persona
This means that you should put at least some effort into your profile development and maintenance. The easiest way to do it is to interact with a given platform in a way it was designed for: sharing, liking, re-posting and adding content.
Real people also join groups or subscribe to certain pages for updates. It doesn’t matter what it is, as long as the interaction with the platform and other users looks genuine. Obviously, it’s not a good idea to pick areas of interest that you focus on in real life, as you risk getting de-anonymised.
Things you should avoid during the cultivation process are controversial topics touching on politics, minorities, religion and other heavily-moderated subjects. Your interactions with the platform should be as generic, inoffensive and non-controversial as possible. The goal here is to avoid unwanted scrutiny and red flags associated with your OSINT profile.
If you really want to be consistent, you can tie down your OSINT fake person to a particular IP address, a specific geo-location, time pattern and so on. You might choose to cultivate your account with new posts, shares and group activity any time you are in a particular coffee shop using their WiFi.
DO NOT share your geo-location publicly – the purpose of this step is to create a repetitive pattern of credibility in the eyes of the platform user compliance team, nothing else.
Your OSINT account cultivation plan should start at the early stages of creating accounts. There is no harm to create a couple of email addresses and social media profiles and just let the stay dormant for a while.
You should avoid mass-creating accounts on the same machine, using the same IP address, from the same browser, etc. Social media platforms are very good at linking users and accounts together.
6. Consider linking your investigative accounts
This reflects another pattern of real accounts – a genuine user will likely have an account on Twitter, Facebook, Instagram and so on with similar personal information across all three. They probably also share the same email address and phone number.
ADVICE: To mix things up a little in order to pacify the ever watchful algorithms, you should consider accessing your accounts from time to time from a smart phone emulator or using your designated OSINT handset. After all, real users nowadays use mobile devices more frequently than desktops.
The accounts linking step is optional and it really only applies to accounts you want to keep long term. If you are conducting impromptu OSINT enquiries and will rely on disposable accounts, you might want to skip this part entirely.
Which brings us to last final step…
7. Clean up after yourself!
It is important to remember, as we mentioned in previous articles, that you should use a dedicated virtual machine or a dedicated laptop for OSINT activities.
One of many reasons why I consider it be good practice is the fact that you can easily clean up your digital environment after you have concluded the investigation.
In anticipation of this you might opt for a disposable operating system like TAILS, which I discussed previously in this article.
The clean up process includes:
- resetting your virtual machine to a clean / default state;
- removing your browsing history, cookies and any downloaded files (remember to make backups or archive whatever you need);
- resetting your browser to default settings, or sometimes completely uninstalling the browser, if applicable;
- closing down accounts if you don’t wish to re-use them in the future.
So that’s it. I wrote this rough guide based on my own experiences with creating and maintaining OSINT accounts. Some of those accounts were closed on me in the past and my learning process was a trial and error approach.
If you have any suggestions or you feel like I forgot to mention something, let me know in the comments.
Thanks Matt
Just what I needed . Clear and easy to follow practical steps.
Good article! I’ve started to use different Firefox profiles for my OSINT accounts (through Firefox Profile Manager), and doing some cultivation of them by just browsing the Web with no adblockers etc on – review sites, news, lolz, things relevant to my legend’s occupation etc. The plan here is to build patterns in my cookies from the social media sites that look like a normal human rather than an investigator.
hi!
i would like to know what are the reasons we should always do the clean up process after doin OSINT investigation?
thank you! 🙂
The short answer is: to avoid cross-contamination with cookies, previous history of browsing or search history. And anything else that might be problematic for your next case if you were to use the exact same investigative environment…