Social Mapper automates the intel-gathering process for social engineers.

Despite all the recent advances in digital security, phishing remains one of the most dangerous threat vectors for cyberattacks.

While even the least tech-savvy users can now be expected to treat unsolicited emails promising untold fortunes with suspicion, criminals are becoming increasingly sophisticated in their methods.

Instead of casting the net wide, targeted spear-phishing attacks are fast becoming the preferred route of entry for black hats looking to steal company data or inject malware into unsuspecting systems.

So how do criminals decide who to target? Thanks to social media, the answer is often in plain sight, as Facebook, LinkedIn, and other services readily serve up key employee information that allows them to craft the perfect phishing email.

Mapping the target

Issues surrounding human error and phishing are unlikely to disappear any time soon, and as such social engineering remains high on the list for pen testers and red teamers.

Fortunately, the task of emulating criminal behavior has just been made easier, thanks to Trustwave, which last week rolled out Social Mapper, an open source intelligence tool designed to help source targets by locating and correlating their presence on social media via facial recognition.

Unveiled at Black Hat USA, Social Mapper is first publicly available tool of its kind that enables pen testers to perform social media analysis and gather target data with speed and efficiency.

Karl Sigler, threat intelligence manager of Trustwave’s SpiderLabs research division, walked The Daily Swig through the tool in Las Vegas last week.

“Social Mapper takes somebody’s name and a photo of their face,” he said. “Then it scrapes various social networks for correlations – LinkedIn, Facebook, Twitter, Google+, Instagram, Weibu, VKontakte, and Douban.

“Normally this would be a manual process. If we knew, for example, that John Smith is working for the target company, we want to know who his manager is, we want to know what his dog’s name is, and any information, we need to craft the perfect phishing email.”

Sigler added: “There are obviously lots of John Smiths out there. But the facial recognition technology allows us to zero in on the exact John Smith that we are interested in at that specific moment, and we can automate the entire process.”

Mapping at scale

Perhaps one of the most useful features of Social Mapper is that it can be deployed at scale.

One of example of the tool’s use, says Sigler, would be a security practitioner who wants to build a target profile on a company.

Social Mapper could be used to scrape thousands of employees from LinkedIn and find their associated profiles on other sites such as Facebook and Twitter.

“This would help us target them directly in a social engineering attack,” he said.

Reducing exposure

Phishers are honing their craft, and social media provides a treasure trove of potentially useful information on employees of a target organizations.

So where does this leave individuals and companies looking to reduce their exposure?

Social media mapping relies on two key data points: name and photo. Anyone looking to avoid the attention of social engineers might well consider changing these to obscure their identity.

Users should also ensure they lock down their privacy settings in order to reduce the amount of personal information that can be viewed by strangers.

Given the ongoing problem of phishing attacks being launched against businesses, many organizations would no doubt prefer a world in which there was no social media at all.

It’s clear that this won’t happen any time soon, however, and so the best defense against corporate phishing involves ensuring staff are educated and alert to social engineering – a technique that’s being increasingly utilized by criminals and pen testers alike.


The open source Social Mapper intelligence tool is available on GitHub.