Trustwave shows how the latest advancements in technology could be used to aid cybercriminal activity.
One of the biggest establishers of credibility for any phishing scam is to make a request look like it’s from someone the victim knows. It’s the very reason why email addresses are spoofed to make it appear like it’s really your bank asking you to reset your account password. Trustwave, a provider of ethical hacking services, recently released Social Mapper – a tool that uses facial recognition to identify associated social media accounts for an individual.
Covering the major sites, such as Facebook, Twitter, Google +, LinkedIn, and Instagram, this tool is used by Trustwave for penetration testing of their customers by identifying potential test targets within customer organizations for social media phishing attacks aimed at testing the customer’s user security.
While Trustwave is using this technology to improve the security of their customers, they point out how facial recognition could be used by cybercriminals to improve the accuracy and effectiveness of phishing scams.
Some ideas include:
- Improving the “your social media account needs to be reset” scam by including the user’s social media profile picture in the phishing email.
- Create a phony social media profile to “friend” potential victims and then send them links to either malware or false web pages looking like the social media site’s logon page to capture credentials.
- Quickly doxing potential victim’s social media accounts to use details shared on those accounts as part of whaling scams.
The uses are somewhat endless.
While Trustwave only plans on using this new tool for good, its existence demonstrates the potential use of such technology to further the efforts of cybercriminals. Keep in mind that the facial recognition technology only speeds up the process; a cybercriminal set on attacking a specific victim can simply take the time needed to find all the social media accounts themselves.
Whether facial recognition tech is used, or if good old-fashioned manual labor is the key, this misuse of social media account information should serve as a warning of just how easy it can be for someone to fool one of your users. Keeping users up to speed on the latest attack methods and how they can better protect themselves (and the organization) via Security Awareness Training is the most effective way to minimize the risk associated with social media-based phishing attacks.