Craft Attacks from Geographic Location Data on Social Media Using CreepyCree.py is an open source intelligence tool dedicated to determining victim geographic location (exact longitude and latitude) based on their social media posts. This article will provide a tutorial on what you can do with creepy and how you can use it to your advantage.How to Use Creepy
To begin you can download creepy for Windows and OSX here: https://www.geocreepy.com/Once downloaded, Install and open cree.py.Below is a display of the creepy GUI. Firstly, we must configure the social media plugins correctly. To do this click on the third icon from the left “plugins configuration” – as circled in the screenshot below.You will see four plugins: Twitter, Google+, Flickr and Instagram. Each plugin needs to be configured so that we can access social media posts of our victim on each social media platform. The “test plugin configuration” button will notify us if the plugin is correctly configured. If it is not correctly configured, we can run the configuration wizard as shown below.After logging in we must provide the allocated pin to configure the specific plugin. We can now begin targeting either a specific victim or a location.To specify a person based project click on the person icon. Firstly, name your project and give it a description (This is for your reference only). Next, you can conduct a search based on full name, username or e-mail address. You can try all 3 and allocate targets as necessary, based on these searches as shown below.Once you have a list of targets you can right-click on your project and select “analyze project”. After analysis, a list of tweets surrounding geographic locations will be presented.You can quickly get a picture of where your target lives, works or spends a lot of time at (Depending on where their tweets were created).How to USE Creepy Creatively
Now that you have some locations your target frequents you can find further information – possibly for social engineering
attacks. For example, you might be able to determine their most frequent location is their work place. In this case you can find other individuals who frequent this location within the same time period. To do this create a “location based project” and indicate a location you wish to specify. This will generate a list of all users who frequent this location based on their social media posts.This is when finding work colleagues can come in handy and you can get creative with social engineering attacks. For example, you could find social media posts from work colleagues and use their topics/style of writing in phishing attacks. You can also use your victim’s locations to determine regular places they may visit such as restaurants and cafes in which attacks can be conducted where they least expect it. For example – do they connect to the free wireless internet at cafes they frequent?Furthermore, some additional information can be found in the analysis tab of each project.From the above project information not only do we have our victim’s home/work/leisure location we also have what type of device they are using – iPhone, and the hour period in which they most likely update social media. With a bit of creative thinking this information can be used to create a broad picture of our target and be utilized for further attacks.Mitigation Strategies
To mitigate this OSINT geolocation enumeration, users should disallow all geolocation settings on ALL social media platforms. Furthermore, users should be very careful when tagging or being tagged in social media posts that blatantly display location.