Cree.py Social Engineering Tool Pinpoints A Persons Physical Location

  /     /     /  
Publicated : 22/11/2024   Category : security


Cree.py Social Engineering Tool Pinpoints A Persons Physical Location


Free tool automates process of pulling geolocation, other information on targets



A savvy and determined social engineer can gather and manually correlate the geolocation tags of his or her targets social network or other online posts. But a new, free tool automates that process of creeping around and finding the physical location of a targeted person. Cree.py makes it easier for social engineers to track the physical whereabouts of their targets -- it grabs geolocations from Twitter and Foursquare, as well as Twitpic, Flickr, and others.
Yiannis Kakavas, an independent researcher at the Royal Institute of Technology in Stockholm, Sweden, says he built the tool -- currently in beta -- to raise awareness of how easy it is for the physical location you share online to be abused. By making the process of retrieving and analyzing all the shared location-specific information that users share easy and automated, I hoped to make clear how easy it is for someone to stalk you, rob you, find out where youve been, and why, Kakavas says. The second goal was to create a tool to add in ones social engineering toolbox that would facilitate information gathering for geolocation information.
The privacy and security risk with all of the geolocation tagging in todays social networking applications has been disconcerting to security experts and privacy advocates. Users today can include their physical locations when they tweet, post pictures from Flickr, or check in on Foursquare.
Kakavas says the information Cree.py gathers can be used for reconnaissance on a target, such as where he lives, when hes at home, or when hes traveling and to where. It can also be used to create behavioral models of the target regarding the places he/she frequents -- coffee shops, gym, favorite restaurants, etc. -- [and] traveling patterns, among others. These behavioral patterns can be very useful in social engineering when it comes to pretexting. It can be used to create trust relationships with the target based on supposedly common interests or experiences, he says.
From there, an attacker can take it to another level, impersonating the target, for example, to social-engineer another user into handing over a password or other sensitive information, he says.
Cree.py is just that -- CREEPY, but what a great tool to gather information and building profiles on targets,
blogged
the social engineering professionals at social-engineer.org, which provided screen shots of how it works. It also should be a very rude awakening to how much information we release.
It works like this for Twitter: The social engineer feeds Cree.py the targets Twitter handle, for example, and it takes it from there, pulling together geolocation information and links to photos on img.ly, yfrog, twitpic, analyzing the photos metadata for GPS information. It presents all the retrieved information in an easy-to-view manner [with] locations in an embedded map, which you can also export for further analysis, Kakavas says. It also links to Foursquare check-ins to get geolocation information.
It can take anywhere from two to 15 minutes for Cree.py to determine the targets physical location, and much of that is the recon part. It depends on the number of the users tweets and how many of them actually contain some geolocation information, he says. The most time-consuming process is actually the retrieval of the users tweets, photos from image hosting services, and not the analysis for geolocation information.
Cree.py can be downloaded
from the Cree.py website
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cree.py Social Engineering Tool Pinpoints A Persons Physical Location