It's been said that hackers will exploit any possible entry point for gain, and this includes the heart.
Ever since the creation of virtual identities thanks to chat rooms and then social networking, fraudsters have been fabricating online personas for any number of malicious reasons, not the least of which is perpetrating a cyber attack. Hackers will prowl social networks, online forums and gaming websites disguised as an innocent everyday user in search of someone to trick. The end goal could be a phishing scam, theft of a Social Security number, stolen login information, ransomware or something else.
Regardless of the scheme, eligible bachelors and bachelorettes – or those who are just looking to have a good time – have a new cyber threat vector to watch out for: Online dating sites and "hookup" apps.
The Ashley Madison data dump is only the tip of the iceberg
One of the most memorable data breaches of 2015 was executed against Ashley Madison, an online network for adults who are seeking an extramarital affair. According to multiple news sources, hackers managed to steal personal details and login credentials of approximately 32 million users including names, contact information, addresses, passwords and more. The perpetrators agreed not to do anything with data under one condition: That Ashley Madison and its sister site Established Men – which links younger women with older men who have money – were to be shut down completely.
Ashley Madison did not comply with the terms, and as a result, the hackers dumped 9.7 gigabytes of data belonging to the 32 million or so users. Anyone with access to the Internet and a connected device could browse the list to see if anyone they knew, or suspected, might be an account holder. This unearthed some disconcerting evidence suggesting that adultery wasn't the only sin on some Ashley Madison users' minds.
A dirty little cyber secret revealed
Shortly after the breach, Trend Micro researchers noticed something interesting. Some of the account holders on the website listed the cyber security firm's honeypot email addresses in their contact information. Honeypots are essentially simulated email accounts designed to lure cyber attacks such as phishing scams. The goal is to keep these attacks away from actual users, mainly because they allow researchers to identify them as cyber threats. The fact that someone was using Trend Micro's honeypots as contact information on Ashley Madison could only mean one thing: that the accounts were fabricated.
Upon closer inspection, Trend Micro researcher Ryan Flores was able to trace the account creators to specific IP addresses, and to determine that many of them had been created only minutes apart. He was also able to conclude that they were created by humans, and not by bots. This confirmed that someone had deliberately created false accounts.
The question is, who did it? According to Flores, there is the possibility that Ashley Madison did it to create accounts in other countries in order to drive up usage globally. However, the other scenario is that hackers made the accounts for spamming purposes – message boards, for instance, could be inundated with links to malicious websites.
But the plot thickens. Flores also noted that like the Trend Micro honeypots, some of the email addresses that appeared on the Ashley Madison dump list hypothetically could have been lifted from other parts of the Web by spammers. This means that even people who weren't looking to cheat could have been on the list. Any email address listed online has the potential to become fodder for fraud.
And that's still not the worst of it.
Social engineering: He's just not that into you
Online dating sites are clearly at risk from spammers, and hackers who would look to expose this information, but what about imposters, and even spies? Not everyone on the Internet is who they say they are, and this may include that impossibly charming individual you met on OKCupid who has all of the same interests as you. This person may be orchestrating a catfishing scheme, which, as noted in a Trend Micro blog post from earlier this year, could entail wooing online users to trick them into sending money, but they may be cooking up something a little more sinister.
Many online dating profiles are about putting yourself out there in the hopes of connecting with another person on romantic level, or in the case of Ashley Madison, for secret affairs. Either way, this entails revealing certain information upon creation of the account that hackers leverage against legitimate users.
In the case of Ashley Madison, a fake user might convince an actual user to share compromising information with them. They could then threaten to share this information with a spouse or family member unless money is sent to them. Depending on the weight of the information, and the desperation of the victim, this type of scheme can actually be quite effective. Just imagine what a high-profile politician might be willing to pay. While this type of cyber attack doesn't fit the bill of the lone wolf reading through lines of codes in search of an exploit, it still qualifies as cyber crime nonetheless.
Furthermore, there's a long list of simpler hacking exploits and cyber schemes that leverage online dating sites and applications. Crooks and cyber attackers will lure Internet users to pages with promises of love and passionate affairs that may actually lead to the theft of personal information or download crippling malware.
When it comes to looking for love in cyber space, it's best to be on your guard. Sometimes, hyper awareness is the top form of cyber security.