Researchers from information security company Trustwave released a facial recognition tool called Social Mapper that scans social media networks yesterday.
Social Mapper is marketed as “an open source intelligence tool” for security researchers performing targeted phishing attacks.
“Social Mapper does not perform these attacks, it gathers you the data you need to perform them on a mass scale,” reads the GitHub page, which then lists “a few ideas to get started.” These ideas include creating fake social media profiles to befriend the “targets” and then send them “links or malware,” tricking users in to disclosing their email addresses, creating custom phishing campaigns, and “view[ing] target photos looking for employee access card badges and familiarise yourself with building interiors.”
While other social media tracking tools need API access to various networks, Social Mapper does not. The program takes the “targets” provided to it by the user – a “target” consists of a name and a picture – and using Firefox it starts looking for the people online by searching for the targets by name, downloading the top results, and then comparing profile pictures.
According to the developer, Jacob Wilkin, the searching and comparing can take a while, up to 15 hours to look through a list of 1000 people. The program scans LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo, and Douban, searching for profiles. The result of the search is a spreadsheet of confirmed accounts.
The program is open-source, licensed as a free software and available on Github.
“(S)ince the tool is now available in open-source, anyone including bad actors or intelligence agencies can reuse facial recognition tech to build their own surveillance tools to search against already collected trove of data,” says Swati Khandelwal from The Hacker News.
Wilkin is presenting on Social Mapper today at Black Hat USA, an information security event, in Las Vegas.
