The company says the tool, called Social Mapper, is designed for penetration testers who often phish employees at client companies to test security measures and gain access to computers. By showing how actual attackers can convince workers to give up their login credentials to scammers, testers can help companies put in training and technical countermeasures to make those attacks less feasible.
“The tool basically came out of necessity,” says Karl Sigler, threat intelligence manager at Trustwave. “Over the years we’ve discovered that a lot of the compromises and breaches that we get engaged in, in general the initial footprint, comes from a social engineering attack.”
Social Mapper users provide their own login credentials to various social networks, along with a file specifying names and facial images of the people they’re interested in targeting. The tool then logs into specified social networks such as Facebook, LinkedIn, Instagram, VKontakte and Weibo and uses the sites’ search tools and open source facial recognition tools to find and log likely matches. Once they find matches, they can either friend the users on the social media sites and send them phishing links or use data from the sites to craft personalized phishing emails, Trustwave researcher Jacob Wilkins suggested in a blog post.
“Gathering all that information allows us to create very compelling spearphishing letters if you will,” says Sigler.
Trustwave has already used the tool in its penetration work to eliminate tedious manual social media research, according to the post.
“It’s really not that complex—we’re not using any API,” Sigler says. “Really, it’s just a matter of having an account on that social network and accessing publicly available data.”
Still, the tool has raised some concerns about whether it could be used for malicious purposes or to violate people’s privacy.
“A tool like this can enable somebody to surface information about social media users that those users do not expect to fall into the hands of a third party,” says Matt Cagle, a technology and civil liberties attorney at the American Civil Liberties Union of Northern California. “It’s really important that the people behind the tools think about the responsibility they have to make sure these tools are not ripe for misuse.”
Many social networks make profile information like names and profile photos visible by default, Cagle says. Facebook recently took some steps to limit automated scraping of accounts on the site by disabling a feature that let users search for potential friends by email address or phone number, after finding it was used to systematically gather public profile data on many of the service’s users. The company is contacting Trustwave about Social Mapper, a spokesperson said.
“We’re reaching out to the Social Mapper team to discuss their tool and reinforce the importance of compliance with our terms of service,” the spokesperson said in an email to Fast Company. “To be clear, use of automated tools to scrape content is against our policies aimed at keeping people on Facebook safe.”
LinkedIn, which has recently been involved in a legal battle with a company that scrapes data from its site, didn’t respond to an inquiry from Fast Company about Social Mapper.
Sigler says that many malicious hackers likely already have tools they can use to systematically scrape social media sites for phishing purposes, whether they use facial recognition software or just manually match facial images to other sources of data. Social Mapper doesn’t have access to any data that’s not already public, he says.
“It’s always a cat-and-mouse-type game—we’re trying to emulate the techniques we already see criminals using,” he says. “It’s nothing that hasn’t really already been done.”