Story image

Trustwave releases facial recognition tool for pentesters

09 Aug 18

Performing intelligence gathering on is a time-consuming process, typically starting by attempting to find a person’s online presence on a variety of social media sites.

While this is an easy task when there are only a few targets, it can become incredibly tedious when done at scale.

To answer this need, Trustwave has announced the release of Social Mapper, an open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale.

Trustwave, which provides ethical hacking services, has successfully used the tool in a number of penetration tests and red teaming engagements on behalf of clients.

It takes an automated approach to searching popular social media sites for names and pictures of individuals to accurately detect and group a person’s presence, outputting the results into a report that a human operator can quickly review.

It's primarily aimed at penetration testers and red teamers, who will use it to expand their target lists, aiding them in social media phishing scenarios.

Its primary benefit comes from the automation of matching profiles and the report generation capabilities.

As the security industry continues to struggle with talent shortages and rapidly evolving adversaries, it is imperative that a penetration tester’s time is utilized in the most efficient means possible.

Social Mapper supports the following social media platforms:

  • LinkedIn
  • Facebook
  • Twitter
  • Google+
  • Instagram
  • VKontakte
  • Weibo
  • Douban

Once Social Mapper has finished running and the reports have been collected, here are some examples of how pentesters can use the information generated. They can:

  • Create fake social media profiles to 'friend' the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
     
  • Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
     
  • Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
     
  • View target photos looking for employee access card badges and familiarise yourself with building interiors.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”