Trustwave has developed and released a free tool companies can use to help them create realistic phishing emails for use with in-house training programs.
The tool, called Social Mapper, enables pen testers to quickly dig up some basic information on an employee's social media activity that will enable them to quickly gather the intelligence needed to make a phishing email appear legit, said Karl Sigler, Trustwave's Karl Sigler, threat intelligence manager.
Social Mapper only needs two pieces of information to begin, the person's name and a photograph. It then scrapes eight social media sites: LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo and Douban to discover which of these the employee uses, Sigler said. The photo is usually pulled from a company source, ID badge or a headshot from the About Us area on a website, and facial recognition software is then used to match the person to the social media site.
Sigler made it clear the software does not grab any details other than name and the photo from the social media accounts.
Once the software completes scraping these sites, the software creates a table populated with the employee's name and the social media sites on which he or she is active. At this point, it is up to the pen testers to figure out how best to use this information.
Some suggestions from Trustwave are to create “fake social media profiles to friend the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email,” the company said in a blog on the topic.
Other ideas included creating custom phishing campaigns for each social media site, knowing that the target has an account to capture usernames and passwords and view target photos looking for employee access card badges and familiarize yourself with building interiors.