Social Media

Social Media platforms such as LinkedIn, Facebook and Twitter can be a goldmine of information. LinkedIn is especially abundant because it allows (and encourages) people to post information about their skills and experiences. For example, we can go to the Apple LinkedIn page or Google dork to find their employees, and from there drill down into their profiles. This is useful for getting insight into the possible technology stacks and business processes being used.

Many people also cross-link their social media profiles, so you can find their Twitter/Facebook/Instagram/etc accounts as well. Phishing is still the most prevalent method of compromising a target and gathering both professional and personal information on targets goes a long way to making those pre-texts convincing and enticing.

You can also find automated scraping tools such as LinkedInt. However, in the case of LinkedIn, they often violate their user agreements, leading to your account being banned. If you have to use an account for scraping purposes, make sure it's a "burner".

Websites such as hunter.io can be used to discover the email address of employees. If we enter apple.com, it tells us that the most common pattern for that domain is {f}{last}@apple.com. This means that we don't actually have to find everybody's email address explicitly, but simply guess based on this pattern. We could scrape a list of Apple employees from LinkedIn and transform their names into email address. For instance, Steve Jobs would become s.jobs@apple.com. They won't all be correct, but hopefully, a good proportion would be.