'Cree.py' Social Engineering Tool Pinpoints A Person's Physical Location

A savvy and determined social engineer can gather and manually correlate the geolocation tags of his or her target's social network or other online posts. But a new, free tool automates that process of creeping around and finding the physical location of a targeted person. "Cree.py" makes it easier for social engineers to track the physical whereabouts of their targets -- it grabs geolocations from Twitter and Foursquare, as well as Twitpic, Flickr, and others.

Yiannis Kakavas, an independent researcher at the Royal Institute of Technology in Stockholm, Sweden, says he built the tool -- currently in beta -- to raise awareness of how easy it is for the physical location you share online to be abused. "By making the process of retrieving and analyzing all the shared location-specific information that users share easy and automated, I hoped to make clear how easy it is for someone to stalk you, rob you, find out where you've been, and why," Kakavas says. "The second goal was to create a tool to add in one's social engineering toolbox that would facilitate information gathering for geolocation information."

The privacy and security risk with all of the geolocation tagging in today's social networking applications has been disconcerting to security experts and privacy advocates. Users today can include their physical locations when they tweet, post pictures from Flickr, or check in on Foursquare.

Kakavas says the information Cree.py gathers can be used for reconnaissance on a target, such as where he lives, when he's at home, or when he's traveling and to where. "It can also be used to create behavioral models of the target regarding the places he/she frequents -- coffee shops, gym, favorite restaurants, etc. -- [and] traveling patterns, among others. These behavioral patterns can be very useful in social engineering when it comes to pretexting. It can be used to create trust relationships with the target based on supposedly common interests or experiences," he says.

From there, an attacker can take it to another level, impersonating the target, for example, to social-engineer another user into handing over a password or other sensitive information, he says.

"Cree.py is just that -- CREEPY, but what a great tool to gather information and building profiles on targets," blogged the social engineering professionals at social-engineer.org, which provided screen shots of how it works. "It also should be a very rude awakening to how much information we release."

It works like this for Twitter: The social engineer feeds Cree.py the target's Twitter handle, for example, and it takes it from there, pulling together geolocation information and links to photos on img.ly, yfrog, twitpic, analyzing the photos' metadata for GPS information. "It presents all the retrieved information in an easy-to-view manner [with] locations in an embedded map, which you can also export for further analysis," Kakavas says. It also links to Foursquare check-ins to get geolocation information.

It can take anywhere from two to 15 minutes for Cree.py to determine the target's physical location, and much of that is the recon part. "It depends on the number of the user's tweets and how many of them actually contain some geolocation information," he says. "The most time-consuming process is actually the retrieval of the user's tweets, photos from image hosting services, and not the analysis for geolocation information."

Cree.py can be downloaded from the Cree.py website.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.