Reconnaissance: the attacker's first move

Every sophisticated attack begins with reconnaissance - the systematic collection of information about the target. Before writing a single exploit, a motivated attacker builds a detailed map of your technology stack, your team structure, your external services, and your security weaknesses. Most of this information is freely available on the public internet. You are broadcasting it right now.

This is not theoretical. We run this exact process during the initial phase of every penetration testing engagement. The results consistently surprise CTO teams who had no idea how much information their organization was exposing. Here is the methodology, step by step, applied to a fictional but representative Nigerian fintech called "PayQuick."

Step 1: public GitHub repositories - searching for secrets

The attacker starts with GitHub. Not by hacking GitHub - by searching it. GitHub's search functionality, combined with specialised queries (called "dorking"), can reveal an extraordinary amount about a company's internal systems.

What the attacker searches for:

What this enables: If the attacker finds valid credentials, the reconnaissance phase is effectively over - they have direct access. If they find configuration files, they now know the internal architecture: which databases are in use, which cloud provider hosts the infrastructure, how services communicate, and what deployment tools are used. This information shapes every subsequent attack decision.

In approximately 40% of the Nigerian fintech backends we audit, we find production secrets committed to Git repositories. Sometimes in public repos. For remediation guidance, see our articles on .env file security and where to store API keys and secrets.

Step 2: Shodan and Censys - finding exposed services

Shodan and Censys are search engines for internet-connected devices and services. They continuously scan the entire IPv4 address space and index every responding port, service banner, and certificate. An attacker queries these engines for services associated with the target company.

What the attacker searches for:

What this enables: Each exposed service is a potential entry point. An unauthenticated MongoDB is game over - full database access. An exposed Jenkins instance might have stored credentials for production deployments. An admin panel with default credentials grants administrative access to the application.

Step 3: LinkedIn - mapping the organisation

LinkedIn is an intelligence goldmine for attackers. It provides a detailed organisational map that would take weeks to assemble through other means.

What the attacker extracts:

What this enables: Targeted spear-phishing emails that reference real colleagues, real projects, and real technologies. Social engineering calls to customer support that use correct names and department structures. Identification of the weakest entry points in the organisation's human layer. See our analysis of social engineering targeting fintech support teams.

Want to see your fintech through an attacker's eyes?

Map Your Attack Surface

Step 4: job postings - revealing the exact tech stack

Job postings are technical specifications disguised as recruitment documents. A single backend engineering job listing can tell an attacker more about a company's infrastructure than hours of port scanning.

What a typical Nigerian fintech job posting reveals:

Consider a real-world example: "Senior Backend Engineer - Node.js, Express, PostgreSQL, Redis, AWS (EC2, S3, RDS, Lambda), Docker, Kubernetes, experience with Paystack and Flutterwave APIs, familiarity with MongoDB for analytics."

From this single posting, an attacker now knows:

What this enables: The attacker skips the technology fingerprinting phase entirely. They know exactly which exploit modules to load, which vulnerability databases to query, and which attack patterns apply to this specific stack. A job posting is an unwitting threat briefing.

Step 5: mobile app decompilation - extracting embedded secrets

If the fintech has a mobile app on the Google Play Store or Apple App Store, the attacker downloads and decompiles it. For Android (the dominant platform in Nigeria), this is straightforward.

What the attacker does:

What this enables: Direct access to backend APIs, third-party service credentials, and a complete understanding of client-server communication patterns. For React Native and Flutter apps specifically, see our security audit guides for React Native and Flutter.

Step 6: partner and vendor API documentation

Many Nigerian fintechs publish their API documentation publicly - either for partner integrations, developer onboarding, or as marketing material. Some leave Swagger/OpenAPI documentation accessible on production subdomains without any authentication.

What the attacker extracts:

What this enables: The attacker has a comprehensive API testing guide written by the target company itself. Combined with the authentication patterns from the mobile app decompilation, they can begin systematic API testing immediately. See our detailed API security guidance in securing fintech APIs.

Step 7: DNS enumeration - finding forgotten subdomains

DNS enumeration reveals the full scope of a company's internet-facing infrastructure. Subdomains often point to services that were set up for development, staging, or testing purposes and were never properly secured or decommissioned.

What the attacker discovers:

What this enables: A complete map of the company's internet-facing infrastructure, including services the company itself may have forgotten about. Staging environments and admin panels with weak security become the path of least resistance into the production environment.

The takeaway

An afternoon of reconnaissance versus a professional pentest

Everything described above can be accomplished by a motivated attacker in two to four hours using free, publicly available tools. No servers are hacked. No laws are clearly broken. The attacker simply collects what you have already published. Now imagine what a professional penetration testing team finds with weeks of dedicated testing, authenticated access, and deep expertise in fintech-specific attack patterns. The gap between reconnaissance and exploitation is smaller than most founders think.

How to reduce your reconnaissance surface

You cannot eliminate all public information about your company, but you can dramatically reduce what an attacker can weaponise:

See your fintech the way an attacker sees it. We will map your external attack surface and show you exactly what is exposed.

Map Your Attack Surface

Related reading

Blog: Would hackers actually attack my fintech? · Can hackers see my source code? · Hardcoded API keys in mobile apps · Reverse engineering Android fintech apps

Guides: Fintech security checklist · Mobile app pentest guide · Pentest tools and methodology

Services: Penetration testing · API security testing · Secure architecture review

Frequently asked questions

Can hackers really find my API keys on GitHub?

Yes. Automated tools like truffleHog, GitLeaks, and GitHub's own secret scanning constantly scan public repositories for patterns matching API keys, database connection strings, and cloud credentials. If any developer on your team has ever committed a secret to a public repo - even briefly - it was likely captured and indexed. Private repos are also at risk if a developer's GitHub account is compromised.

How long does it take an attacker to reconnaissance a fintech?

A motivated attacker with moderate skill can complete initial reconnaissance on a typical Nigerian fintech in two to four hours. This includes GitHub dorking, Shodan scanning, LinkedIn mapping, job posting analysis, mobile app decompilation, and DNS enumeration. The information gathered in this initial phase shapes every subsequent step of the attack.

Is it illegal for someone to scan my servers?

Port scanning exists in a legal grey area in Nigeria. The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 criminalizes unauthorized access to computer systems, but passive reconnaissance (viewing public information) and port scanning are difficult to prosecute. The practical reality is that attackers perform reconnaissance constantly and without consequence. Your defense should assume continuous scanning rather than relying on legal deterrence.

How do I find out what attackers can see about my company?

A penetration test begins with the same reconnaissance techniques an attacker would use. The initial phase of a Simpa Labs engagement maps your external attack surface - public code repositories, exposed services, information disclosed in job postings, mobile app contents, DNS records, and third-party integrations. This gives you the attacker's view of your organization.