SCALED-UP CYBERSTALKING. If you want to get to know someone on the sly, you might check out their Facebook profile. Hackers do the same thing when they’re gathering intel for phishing or malware attacks, but on a much larger scale. They use automated tools to gather information on hundreds – or even thousands – of people across all their online profiles.
On August 8, researchers from information security company Trustwave releasedSocial Mapper, an open-source facial recognition tool designed to help good, white hat hackers keep up with bad, black hat hackers. But in attempting to level the playing field, Trustwave may have inadvertently just created more bad guys.
GATHERING INTEL. Social Mapper uses facial recognition to track a person across eight social media platforms. To start, the user just feeds the system a list of names with a single photo of the person. Then, Social Mapper searches for those people by name on the social media platforms.
This could turn up a number of matches (after all, some names are fairly common), so the next step is using facial recognition technology to match the right profile to the target. This process isn’t exactly fast — it takes about 15 hours for Social Mapper to work through a list of 1,000 names — but it is faster than doing it manually.
Finally, Social Mapper creates a report on the targets based on all the information it gathered. This could include links to all their profiles, all of their profile photos, and any emails associated with their accounts.
ONLINE RECON. When we sneak a peak at someone’s online profile, it might just be because we’re thinking about dating them (or maybe they’re dating an ex of ours). But why would someone want to see all the profile information for hundreds of people all at once?
Well, according to the Trustwave team, hackers gather this info for a wide variety of reasons.
They might target the social media accounts of all the employees of one company, looking for images that include their access card badges or work interiors. They might also use the info they gather to customize phishing attempts, for example, by including the target’s photo in the email to give it an air of authenticity.
FOR THE GOOD GUYS. The team says they created Social Mapper for use by “penetration testers and red teamers,” people or groups that probe sites, apps, and networks for security vulnerabilities. As a Trustwave spokesperson told Gizmodo, hackers “are already using or most likely have” tools and technologies like Social Mapper, so by making their tool open-source, they’re simply leveling the playing field.
Still, if any hackers didn’t already have such a tool prior to the release of Social Mapper, they do now.