The phony Facebook pages looked just like the real thing. They were designed to mimic pages that service members use to connect. One appeared to be geared toward a large-scale, military exercise in Europe and was populated by a handful of accounts that appeared to be real service members.

In reality, both the pages and the accounts were created and operated by researchers at NATO’s Strategic Communications Center of Excellence, a research group that's affiliated with NATO. They were acting as a "red team" on behalf of the military to test just how much they could influence soldiers’ real-world actions through social media manipulation.

The group "attempted to answer three questions,” Nora Biteniece, a software engineer who helped design the project, told WIRED. “The first question is, What can we find out about a military exercise just from open source data? What can we find out about the participants from open source data? And, can we use all this data to influence the participants’ behaviors against their given orders?”

The researchers discovered that you can find out a lot from open source data, including Facebook profiles and people-search websites. And yes, the data can be used to influence members of the armed forces. The total cost of the scheme? Sixty dollars, suggesting a frighteningly low bar for any malicious actor looking to manipulate people online.

SIGN UP TODAY Get the Backchannel newsletter for the best features and investigations on WIRED.

StratCom published its findings last week in a new report, which Biteniece, her coauthor Sebastian Bay, and their fellow StratCom researchers presented Thursday at an event on social media manipulation at the United States Senate. The experiment underscores just how much personal information is free for the taking on social media, and, perhaps even more troubling, exactly how it can be used against even those of us who are the best positioned to resist it.

“We’re talking professional soldiers that are supposed to be very prepared,” says Janis Sarts, director of NATO StratCom. “If you compare that to an ordinary citizen … it would be so much easier.”

Many of the details about how the operation worked remain classified, including precisely where it took place and which Allied force was involved. The StratCom group ran the drill during an exercise with approval of the military, but service members weren't aware of what was happening. Over four weeks, the researchers developed fake pages and closed groups on Facebook that looked like they were associated with the military exercise, as well as profiles impersonating service members both real and imagined.

To recruit soldiers to the pages, they used targeted Facebook advertising. Those pages then promoted the closed groups the researchers had created. Inside the groups, the researchers used their phony accounts to ask the real service members questions about their battalions and their work. They also used these accounts to "friend" service members. According to the report, Facebook's Suggested Friends feature proved helpful in surfacing additional targets.

The researchers also tracked down service members' Instagram and Twitter accounts and searched for other information available online, some of which a bad actor might be able to exploit. “We managed to find quite a lot of data on individual people, which would include sensitive information,” Biteniece says. “Like a serviceman having a wife and also being on dating apps.”

“Everybody has a button. The point is, what’s openly available online is sufficient to know what that is.” Janis Sarts, director of NATO StratCom

By the end of the exercise, the researchers identified 150 soldiers, found the locations of several battalions, tracked troop movements, and compelled service members to engage in “undesirable behavior,” including leaving their positions against orders.

“Every person has a button. For somebody there’s a financial issue, for somebody it’s a very appealing date, for somebody it’s a family thing,” Sarts says. “It’s varied, but everybody has a button. The point is, what’s openly available online is sufficient to know what that is.”

Members of the military happen to be particularly high-profile targets for scams like catfishing and sextortion. Recently, a group of inmates in South Carolina were busted for allegedly blackmailing 442 service members using fake personas on online dating services. Not only can these tactics hit service members' wallets, they may also represent a security risk if the victims have access to sensitive information.