Performing intelligence gathering on is a time-consuming process, typically starting by attempting to find a person's online presence on a variety of social media sites.
While this is an easy task when there are only a few targets, it can become incredibly tedious when done at scale.
To answer this need, Trustwave has announced the release of Social Mapper, an open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale.
Trustwave, which provides ethical hacking services, has successfully used the tool in a number of penetration tests and red teaming engagements on behalf of clients.
It takes an automated approach to searching popular social media sites for names and pictures of individuals to accurately detect and group a person's presence, outputting the results into a report that a human operator can quickly review. It's primarily aimed at penetration testers and red teamers, who will use it to expand their target lists, aiding them in social media phishing scenarios.
Its primary benefit comes from the automation of matching profiles and the report generation capabilities.
As the security industry continues to struggle with talent shortages and rapidly evolving adversaries, it is imperative that a penetration tester's time is utilized in the most efficient means possible.
Social Mapper supports the following social media platforms:
Once Social Mapper has finished running and the reports have been collected, here are some examples of how pentesters can use the information generated. They can:
- Create fake social media profiles to 'friend' the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
- Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
- Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
- View target photos looking for employee access card badges and familiarise yourself with building interiors.