RESEARCHERS at US security company Trustwave have released a rather scary new open source tool called 'Social Mapper' that can be used to track "targets" across social media networks using facial recognition.
The potentially-devious tool works by taking an "automated approach" to searching popular social media sites for names and pictures of people you're looking to track. It can accurately detect and group a person's presence, outputting the results into a report that a human operator can quickly review.
"Performing intelligence gathering is a time-consuming process, it typically starts by attempting to find a person's online presence on a variety of social media sites," the company asked itself in a news release announcing the software.
"While this is an easy task for a few, it can become incredibly tedious when done at scale. What if it could be automated and done on a mass scale with hundreds or thousands of individuals?"
The firm answered its own question, touting Social Mapper - an "open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale" - as the solution.
Rather worryingly, Trustwave, which claims to be an ethical hacking service, as well as offering vulnerability and compliance management services technologies, said it has already successfully used the tool in a number of penetration tests on behalf of clients.
The tool supports all the popular (and not so popular) social networks, such as: LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo, Douban.
It's primarily aimed at penetration testers and red teamers, who will use it to expand their target lists, aiding them in social media phishing scenarios, the firm said.
"Its benefit comes from the automation of matching profiles and the report generation capabilities," said Trustwave. "As the security industry continues to struggle with talent shortages and rapidly evolving adversaries, it is imperative that a penetration tester's time is utilized in the most efficient means possible."
Once Social Mapper has finished collected its reports, Trustwave said what you do next is "only limited by your imagination".
Luckily for us, some of the most prominent figures in history have had great imaginations. Think Hitler, Stalin and President Mao...
And if you don't have any imagination, the company even gives you some ideas to get you started on your way to prying on and invading people's privacy.
One such way is using the tool to create fake social media profiles to 'friend' the targets and send them links to credential capturing landing pages or downloadable malware.
"Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email," Trustwave said. "Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing."
The other free idea Trustwave offered up was to create custom phishing campaigns for each social media site that you know the target has an account at.
"Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse," it continued. "View target photos looking for employee access card badges and familiarise yourself with building interiors."
Trustwave hopes that by releasing this tool, we will "find it useful" and use it in "new and innovative ways". Gulp.
What's even more worrying is that there are few restrictions on who can use Social Mapper, and it's licensed as free software and is freely available on GitHub. And thank goodness, because this is exactly what society needs. µ
It's the week in Google news
Erik Estrada wouldn't have stood for this
Hacks in support of WikiLeaks founder target gov websites