Researchers at Trustwave Holdings just released a new open-source tool called Social Mapper that uses facial recognition to track subjects across various social media networks. Trustwave is an information security company based out of Chicago, that provides ethical hacking services, as well as threat, vulnerability and compliance management services technologies.
The tool is capable of automatically locating profiles on Facebook, Instagram, Twitter, LinkedIn based on a person’s name and picture. While Trustwave says that it has been designed for security researchers who perform social engineering attacks, the fact that they’ve made it easily available for download on GitHub, is bit fishy.
Trustwave, in a blog post, said that “performing intelligence gathering on is a time-consuming process” and usually it starts by trying to find one person’s online presence on a variety of social media sites. This process obviously can become a tedious one when it needs to be done at scale.
“What if it could be automated and done on a mass scale with hundreds or thousands of individuals?” An automated process could mean that these searches can be performed much faster and on many people at the same time.
Trustwave makes it sound like it is really cool, but we are sceptical and fail to understand how this is a service that brings any value to mankind. In fact, from what the blog reads, it sounds like it could do more harm than good.
For instance, they actually give ideas about what you can do once the Social mapper has finished running and you’ve collected the reports, commenting that our “limited imagination” cannot think of such ideas.
It allows for creating fake social media profiles to ‘friend’ the targets and send them links to credential capturing landing pages or downloadable malware. A hacker can also trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
Further custom phishing campaigns can be created for each social media site, knowing that the target has an account. And finally, target photos can be viewed by looking for employee access card.
That’s not all, Thrustwave gives an entire explanation on how it works.
While there are a few restrictions on who can use the program, Social Mapper is licensed as free software on GitHub and we are really concerned about how this is doing any good. Trustwave is supposed to be a threat management company, not a company that makes hacking simpler.
We still cannot comprehend from the blog post what the true purpose of the tool is, but we hope Trustwave makes it more clear before the tool falls into wrong hands. We’re worried.