Cybersecurity firm Trustwave has released an open source tool to find accounts of large volumes of people across social media platforms by automatically matching names and profile pictures.

The company says the tool, called Social Mapper, is designed for penetration testers who often phish employees at client companies to test security measures and gain access to computers. By showing how actual attackers can convince workers to give up their login credentials to scammers, testers can help companies put in training and technical countermeasures to make those attacks less feasible.

“The tool basically came out of necessity,” says Karl Sigler, threat intelligence manager at Trustwave. “Over the years we’ve discovered that a lot of the compromises and breaches that we get engaged in, in general the initial footprint, comes from a social engineering attack.”

Social Mapper users provide their own login credentials to various social networks, along with a file specifying names and facial images of the people they’re interested in targeting. The tool then logs into specified social networks such as Facebook, LinkedIn, Instagram, VKontakte and Weibo and uses the sites’ search tools and open source facial recognition tools to find and log likely matches. Once they find matches, they can either friend the users on the social media sites and send them phishing links or use data from the sites to craft personalized phishing emails, Trustwave researcher Jacob Wilkins suggested in a blog post.

“Gathering all that information allows us to create very compelling spearphishing letters if you will,” says Sigler.

Trustwave has already used the tool in its penetration work to eliminate tedious manual social media research, according to the post.

“It’s really not that complex—we’re not using any API,” Sigler says. “Really, it’s just a matter of having an account on that social network and accessing publicly available data.”