A new open-source tool that uses facial recognition can track users across social media sites for free.
The tool dubbed Social Mapper is originally designed for security researchers that perform social engineering attacks. The app can easily track users’ profiles on social media networks based on a name and picture. As a result, accounts can be tracked in networks as Facebook, Instagram, Twitter, LinkedIn, Google+, the Russian social media platform VKontakte, and Chinese Weibo and Douban.
The tool enables users to perform the scans manually and automatically, so it can work faster “on a mass scale with hundreds or thousands of individuals”.
According to Trustwave, intelligence gathering usually takes some time.
“Performing intelligence gathering online is a time-consuming process, it typically starts by attempting to find a person's online presence on a variety of social media sites.”
The Social Mapper tools work by taking the following three steps:
- Step 1 – Social Mapper makes up a detailed list of targeting users that includes names and pictures. This list is able to be delivered through a CSV file, images in a folder or users registered with a particular company on social media network LinkedIn.
- Step 2 – Once the list of targets is processed, the tool automatically begins to look for targets across social media platforms.
- Step 3 – the open source tool begins to generate reports. The reporting can include spreadsheets with links to the social media profiles, or HTML file report which is more visual and provides pictures.
Nefarious uses of Social Mapper
Social Mapper can be used in order to:
- Create fake social media accounts in order to friend targets and send them malicious URLs or credential capturing landing pages.
- Trick potential victims into revealing their personal information.
- Design highly sophisticated phishing campaigns.
- View the potential target’s pictures.
Even though the use of Social Mapper can look like a perfect solution for facilitating sophisticated phishing campaigns and intelligence gathering, due to its’ ability to generate lists for every website checked with a target’s “name, potential work email based on a provided format and the link to their profile”, security researchers note that the tool can also be a useful tool for security professionals and ethical hackers. At the end of the day, it was designed for good reasons, such as ethical hacking.
The tool is now available on GitHub, and is licensed as a free software. As a result, basically, anyone can use it, even potential attackers.