Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Mapping Social Media with Facial Recognition: A New Tool for Penetration Testers and Red Teamers

Performing intelligence gathering is a time-consuming process, it typically starts by attempting to find a person's online presence on a variety of social media sites. While this is a easy task for a few, it can become incredibly tedious when done at scale. What if it could be automated and done on a mass scale with hundreds or thousands of individuals?

Introducing Social Mapper an open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale. Trustwave, which provides ethical hacking services, has successfully used the tool in a number of penetration tests and red teaming engagements on behalf of clients. It takes an automated approach to searching popular social media sites for names and pictures of individuals to accurately detect and group a person's presence, outputting the results into a report that a human operator can quickly review.

Social Mapper supports the following social media platforms:

  • LinkedIn
  • Facebook
  • Twitter
  • Google+
  • Instagram
  • VKontakte
  • Weibo
  • Douban

It's primarily aimed at penetration testers and red teamers, who will use it to expand their target lists, aiding them in social media phishing scenarios. Its primary benefit comes from the automation of matching profiles and the report generation capabilities. As the security industry continues to struggle with talent shortages and rapidly evolving adversaries, it is imperative that a penetration tester's time is utilized in the most efficient means possible.

Once social mapper has finished running and you've collected the reports, what you do then is only limited by your imagination, but here are a few ideas:

  • Create fake social media profiles to 'friend' the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
  • Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
  • Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
  • View target photos looking for employee access card badges and familiarise yourself with building interiors.

So, without further ado, let's get into how it works:

At a low level, Social Mapper works by running through 3 main stages. The first is target parsing, it creates a list of targets based on the input you give it. A social mapper target consists of a name and a picture of that person. These can be provided via links in a csv file, images in a folder or via people registered to a company on LinkedIn.

Picture1 Example of the CSV input type with Names and Links

Picture2 Example of the image folder input type with named images

Picture3 Example of the company name input type gathering targets from a LinkedIn company

Once the targets are processed, stage 2 of social mapper kicks in and it starts searching for these people online. It does this by instrumenting the Firefox browser, logging into the afore mentioned supported social media sites and begins searching for targets by name. It pulls out the top results from this search (usually between 10 and 20) and starts downloading the profile pictures and performing facial recognition checks to try and find a match. It's possible to tweak the way it performs via various parameters when the tool starts with options such as: if the program should keep searching after an initial match is found for a better one, and to change the thresholds of the facial recognition to remove more false positives at the risk of missing legitimate profiles.

Picture4 Social Mapper running on a single target, matching a Facebook & Instagram account

Picture5 Social Mapper running on a large batch of users, finishing searching LinkedIn and moving to search Google Plus

This stage of the program can take a long time to run. For target lists of 1000 people it can take more than 15 hours and use a large amount of bandwidth, depending on which options are selected. I would recommend running the tool overnight on a machine with a good internet connection for these reasons.

Once all the social media sites have been checked, stage 3 of the tool kicks in and it starts generating your reports and data. Social Mapper has a variety of output; it generates a csv file with links to the profile pages of the target list and a more visual HTML report that can be handy for quickly checking and verifying the results.

Picture6 Example of Social Mappers HTML report

Picture7 Example of a Social Mapper CSV report

It also has the option to generate lists for each site checked with a person's name, potential work email based on a provided format and the link to their profile. This aim of this is to be useful for taking forwards into phishing campaigns, knowing that this person has a social media profile on a specific site and can then be targeted with pretexts that include their profile picture for added realism.

Picture8 Example of Facebook CSV Output

Unfortunately, due to company privacy concerns I was unable to show you Social Mapper running on a large set of targets in this post. I encourage you to give it a try on a LinkedIn Company and see it run on 100s of targets. For an albeit fuzzy look at what that looks like here is a heavily blurred image, just to give you a sense of the scale that Social Mapper runs at.


Example of a Social Mapper CSV report when run on a large company, this is 50 results of the found 759.

I hope you will find tool useful and use it in new and innovative ways. You can find more information on running the tool on the Trustwave SpiderLabs GitHub page. Please report any bugs you find and feel free to drop in some feature requests if you have any ideas for improvement. And of course, tweet me @Jacob_Wilkin with any success stories you have using Social Mapper!


Latest SpiderLabs Blogs

Network Isolation for DynamoDB with VPC Endpoint

DynamoDB is a fully managed NoSQL database service offered by Amazon Web Services (AWS). It is renowned for its scalability, dependability, and easy connection with other AWS services....

Read More

The Underdog of Cybersecurity: Uncovering Hidden Value in Threat Intelligence

Threat Intelligence, or just TI, is sometimes criticized for possibly being inaccurate or outdated. However, there are compelling reasons to incorporate it into your cybersecurity defense strategy....

Read More

Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture...

Read More