Reconnaissance: the attacker's first move
Every sophisticated attack begins with reconnaissance - the systematic collection of information about the target. Before writing a single exploit, a motivated attacker builds a detailed map of your technology stack, your team structure, your external services, and your security weaknesses. Most of this information is freely available on the public internet. You are broadcasting it right now.
This is not theoretical. We run this exact process during the initial phase of every penetration testing engagement. The results consistently surprise CTO teams who had no idea how much information their organization was exposing. Here is the methodology, step by step, applied to a fictional but representative Nigerian fintech called "PayQuick."
Step 1: public GitHub repositories - searching for secrets
The attacker starts with GitHub. Not by hacking GitHub - by searching it. GitHub's search functionality, combined with specialised queries (called "dorking"), can reveal an extraordinary amount about a company's internal systems.
What the attacker searches for:
- .env files: Queries like "org:payquick filename:.env" or "payquick.com filename:.env" search for environment configuration files that commonly contain database credentials, API keys, and secret tokens. Even if the file has been deleted, it may still exist in Git history.
- API keys and secrets: Searches for strings matching known credential patterns - "PAYSTACK_SECRET_KEY," "AWS_SECRET_ACCESS_KEY," "DATABASE_URL" - within the organization's repositories. Automated tools like truffleHog scan for high-entropy strings that look like secrets.
- Database connection strings: Queries targeting "mongodb://," "postgres://," or "mysql://" followed by credentials. A single committed connection string can give the attacker direct database access if the database is network-reachable.
- Configuration files: docker-compose.yml, Kubernetes manifests, Terraform files, and CI/CD pipeline configurations that reveal infrastructure details, internal service names, and deployment architectures.
What this enables: If the attacker finds valid credentials, the reconnaissance phase is effectively over - they have direct access. If they find configuration files, they now know the internal architecture: which databases are in use, which cloud provider hosts the infrastructure, how services communicate, and what deployment tools are used. This information shapes every subsequent attack decision.
In approximately 40% of the Nigerian fintech backends we audit, we find production secrets committed to Git repositories. Sometimes in public repos. For remediation guidance, see our articles on .env file security and where to store API keys and secrets.
Step 2: Shodan and Censys - finding exposed services
Shodan and Censys are search engines for internet-connected devices and services. They continuously scan the entire IPv4 address space and index every responding port, service banner, and certificate. An attacker queries these engines for services associated with the target company.
What the attacker searches for:
- Exposed databases: MongoDB (port 27017), Redis (port 6379), Elasticsearch (port 9200), PostgreSQL (port 5432) - any of these responding to public connections is a critical finding. We have found production MongoDB instances with no authentication during Simpa Labs engagements, containing hundreds of thousands of KYC records.
- Admin panels: Web interfaces for database administration (phpMyAdmin, Mongo Express, pgAdmin), server management (cPanel, Webmin), or application admin panels running on non-standard ports.
- Development and staging services: Jenkins, GitLab, SonarQube, or other development tools exposed to the internet. These often have weaker authentication than production systems and can provide source code access, deployment pipeline control, or credential disclosure.
- SSL certificate details: Certificate transparency logs reveal subdomain names, internal service names, and organizational structure. A wildcard certificate for "*.internal.payquick.com" confirms the existence of internal subdomains worth investigating.
What this enables: Each exposed service is a potential entry point. An unauthenticated MongoDB is game over - full database access. An exposed Jenkins instance might have stored credentials for production deployments. An admin panel with default credentials grants administrative access to the application.
Step 3: LinkedIn - mapping the organisation
LinkedIn is an intelligence goldmine for attackers. It provides a detailed organisational map that would take weeks to assemble through other means.
What the attacker extracts:
- Engineering team structure: Who are the backend engineers, DevOps engineers, and security engineers (if any)? What are their seniority levels? A company with no security engineer is a softer target.
- Technology signals: Employee profiles often list specific technologies - "Node.js backend developer," "AWS Solutions Architect," "React Native mobile engineer." These confirm the technology stack without any technical scanning.
- Spear-phishing targets: Finance team members who can authorise payments. Engineering managers who can approve access requests. Customer support leads who can reset passwords. Each is a social engineering target with a specific attack angle.
- Former employees: People who recently left the company may still have active credentials if offboarding is incomplete. Their LinkedIn activity (posting about job searches, connecting with recruiters) signals the timing.
What this enables: Targeted spear-phishing emails that reference real colleagues, real projects, and real technologies. Social engineering calls to customer support that use correct names and department structures. Identification of the weakest entry points in the organisation's human layer. See our analysis of social engineering targeting fintech support teams.
Want to see your fintech through an attacker's eyes?
Map Your Attack SurfaceStep 4: job postings - revealing the exact tech stack
Job postings are technical specifications disguised as recruitment documents. A single backend engineering job listing can tell an attacker more about a company's infrastructure than hours of port scanning.
What a typical Nigerian fintech job posting reveals:
Consider a real-world example: "Senior Backend Engineer - Node.js, Express, PostgreSQL, Redis, AWS (EC2, S3, RDS, Lambda), Docker, Kubernetes, experience with Paystack and Flutterwave APIs, familiarity with MongoDB for analytics."
From this single posting, an attacker now knows:
- Runtime and framework: Node.js with Express - the attacker can research known Express middleware vulnerabilities, Node.js prototype pollution attacks, and common misconfigurations in Express-based APIs.
- Databases: PostgreSQL as the primary database, Redis for caching or session storage, MongoDB for analytics. Each has specific attack vectors - SQL injection for PostgreSQL, unauthenticated access for Redis, NoSQL injection for MongoDB.
- Cloud provider and services: AWS with specific services identified. The attacker knows to look for S3 bucket misconfigurations, EC2 metadata endpoint abuse, RDS public accessibility, and Lambda function vulnerabilities.
- Payment integrations: Paystack and Flutterwave APIs - the attacker can review the public API documentation for these providers to understand webhook structures, callback mechanisms, and authentication patterns that the target company likely implements.
- Container orchestration: Docker and Kubernetes - potential for container escape, Kubernetes API server exposure, or misconfigured pod security policies.
What this enables: The attacker skips the technology fingerprinting phase entirely. They know exactly which exploit modules to load, which vulnerability databases to query, and which attack patterns apply to this specific stack. A job posting is an unwitting threat briefing.
Step 5: mobile app decompilation - extracting embedded secrets
If the fintech has a mobile app on the Google Play Store or Apple App Store, the attacker downloads and decompiles it. For Android (the dominant platform in Nigeria), this is straightforward.
What the attacker does:
- APK download and extraction: The APK is downloaded from the Play Store or a mirror site. Tools like apktool and jadx decompile the APK into readable source code and resources.
- JavaScript bundle analysis: For React Native and Flutter apps (common in Nigerian fintechs), the JavaScript bundle or Dart snapshot contains application logic. The attacker extracts and searches this bundle for API endpoints, hardcoded keys, and configuration values.
- API endpoint discovery: The app must know which servers to communicate with. API base URLs, endpoint paths, and version prefixes are embedded in the app code. The attacker now has a complete list of API endpoints to test - including internal or undocumented endpoints that are not publicly advertised.
- Hardcoded credentials: API keys for third-party services (payment processors, analytics, push notifications), encryption keys, and sometimes database credentials. We have found production AWS credentials with full S3 and RDS access hardcoded in React Native JavaScript bundles during Simpa Labs engagements.
- Certificate pinning assessment: The attacker checks whether the app implements certificate pinning (which makes traffic interception harder) and whether the pinning can be bypassed. See our articles on SSL pinning bypass and certificate pinning for mobile banking.
What this enables: Direct access to backend APIs, third-party service credentials, and a complete understanding of client-server communication patterns. For React Native and Flutter apps specifically, see our security audit guides for React Native and Flutter.
Step 6: partner and vendor API documentation
Many Nigerian fintechs publish their API documentation publicly - either for partner integrations, developer onboarding, or as marketing material. Some leave Swagger/OpenAPI documentation accessible on production subdomains without any authentication.
What the attacker extracts:
- Complete endpoint catalogue: Every API endpoint, its HTTP method, URL path, request parameters, and expected response format. The attacker does not need to discover endpoints through fuzzing - the documentation provides a complete map.
- Authentication mechanisms: How authentication works, what tokens are expected, where credentials are passed (header, query parameter, cookie). If the documentation includes example authentication flows, the attacker understands exactly how to interact with the API.
- Data models: Request and response schemas reveal the data model - field names, data types, relationships between entities. This information is invaluable for crafting targeted injection attacks and BOLA exploitation.
- Admin and internal endpoints: Swagger documentation sometimes includes internal or admin endpoints that were not intended for public documentation but were included because the OpenAPI spec was generated from the codebase without filtering.
What this enables: The attacker has a comprehensive API testing guide written by the target company itself. Combined with the authentication patterns from the mobile app decompilation, they can begin systematic API testing immediately. See our detailed API security guidance in securing fintech APIs.
Step 7: DNS enumeration - finding forgotten subdomains
DNS enumeration reveals the full scope of a company's internet-facing infrastructure. Subdomains often point to services that were set up for development, staging, or testing purposes and were never properly secured or decommissioned.
What the attacker discovers:
- Staging and development environments: staging.payquick.com, dev.payquick.com, test.payquick.com - these environments often mirror production functionality but with weaker security controls, default credentials, or disabled authentication. A vulnerability in staging that connects to the same database as production is effectively a production vulnerability.
- Admin panels: admin.payquick.com, dashboard.payquick.com, backoffice.payquick.com - administrative interfaces that may have weaker authentication, no MFA, or default credentials.
- API versions: api-v1.payquick.com, api-v2.payquick.com - older API versions that may lack security controls added to newer versions. If v1 is still active and has a BOLA vulnerability that was fixed in v2, the attacker uses v1.
- Internal tools: jenkins.payquick.com, grafana.payquick.com, kibana.payquick.com - development and monitoring tools that should be behind a VPN but are accessible from the public internet.
- Abandoned services: Subdomains pointing to decommissioned servers, expired cloud instances, or third-party services no longer in use. These can sometimes be claimed by an attacker (subdomain takeover) and used to host phishing pages on a legitimate-looking domain.
What this enables: A complete map of the company's internet-facing infrastructure, including services the company itself may have forgotten about. Staging environments and admin panels with weak security become the path of least resistance into the production environment.
An afternoon of reconnaissance versus a professional pentest
Everything described above can be accomplished by a motivated attacker in two to four hours using free, publicly available tools. No servers are hacked. No laws are clearly broken. The attacker simply collects what you have already published. Now imagine what a professional penetration testing team finds with weeks of dedicated testing, authenticated access, and deep expertise in fintech-specific attack patterns. The gap between reconnaissance and exploitation is smaller than most founders think.
How to reduce your reconnaissance surface
You cannot eliminate all public information about your company, but you can dramatically reduce what an attacker can weaponise:
- Audit your GitHub organisation: Run truffleHog or GitLeaks against all repositories - including Git history. Remove secrets, enable GitHub's secret scanning alerts, and add pre-commit hooks that block credential commits.
- Scan your own infrastructure with Shodan: Search for your company name, IP ranges, and domain names. Close unnecessary ports, remove public access from databases and admin panels, and put development tools behind a VPN.
- Review job postings: Remove specific technology names where possible. Use generic descriptions ("modern cloud infrastructure") instead of exact service names ("AWS EC2, S3, RDS, Lambda").
- Secure your mobile app: Remove hardcoded secrets, implement certificate pinning, and use code obfuscation. See our mobile app pentest checklist for comprehensive guidance.
- Lock down API documentation: If your API docs are intended for authenticated partners, put them behind authentication. Remove internal endpoints from public documentation. Never include real credentials in example requests.
- Enumerate and secure your subdomains: Run DNS enumeration against your own domain. Decommission abandoned subdomains. Ensure staging and development environments require VPN access. Apply production-grade security controls to any environment that connects to production data.
See your fintech the way an attacker sees it. We will map your external attack surface and show you exactly what is exposed.
Map Your Attack SurfaceRelated reading
Blog: Would hackers actually attack my fintech? · Can hackers see my source code? · Hardcoded API keys in mobile apps · Reverse engineering Android fintech apps
Guides: Fintech security checklist · Mobile app pentest guide · Pentest tools and methodology
Services: Penetration testing · API security testing · Secure architecture review
Frequently asked questions
Can hackers really find my API keys on GitHub?
Yes. Automated tools like truffleHog, GitLeaks, and GitHub's own secret scanning constantly scan public repositories for patterns matching API keys, database connection strings, and cloud credentials. If any developer on your team has ever committed a secret to a public repo - even briefly - it was likely captured and indexed. Private repos are also at risk if a developer's GitHub account is compromised.
How long does it take an attacker to reconnaissance a fintech?
A motivated attacker with moderate skill can complete initial reconnaissance on a typical Nigerian fintech in two to four hours. This includes GitHub dorking, Shodan scanning, LinkedIn mapping, job posting analysis, mobile app decompilation, and DNS enumeration. The information gathered in this initial phase shapes every subsequent step of the attack.
Is it illegal for someone to scan my servers?
Port scanning exists in a legal grey area in Nigeria. The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 criminalizes unauthorized access to computer systems, but passive reconnaissance (viewing public information) and port scanning are difficult to prosecute. The practical reality is that attackers perform reconnaissance constantly and without consequence. Your defense should assume continuous scanning rather than relying on legal deterrence.
How do I find out what attackers can see about my company?
A penetration test begins with the same reconnaissance techniques an attacker would use. The initial phase of a Simpa Labs engagement maps your external attack surface - public code repositories, exposed services, information disclosed in job postings, mobile app contents, DNS records, and third-party integrations. This gives you the attacker's view of your organization.