by Stephen Hilt, Mayra Rosario Fuentes, and Robert McArdle and (Senior Threat Researchers)
People are increasingly taking to online dating to find relationships—but can they be used to attack a business? The kind (and amount) of information divulged—about the users themselves, the places they work, visit or live—are not only useful for people looking for a date, but also to attackers who leverage this information to gain a foothold into your organization.
To bear out the risks, we delved into various online dating networks, which initially included Tinder, Plenty of Fish, Jdate, OKCupid, Grindr, Coffee meets Bagel, and LoveStruck. The first stage of our research seeks to answer these main questions:
- Given a known target (e.g., company executive, head of IT department, government official), is it possible to find their corresponding account on the dating network (assuming they have one)?
- For a given account on an online dating network, is it possible to track them to their other social profiles—i.e., Facebook, LinkedIn, or company pages?
Unfortunately, the answer to both is a resounding yes.
Looking for love in all the right places
In almost all of the online dating networks we explored, we found that if we were looking for a target we knew had a profile, it was easy to find them. That shouldn’t come as a surprise, as online dating networks allow you to filter people using a wide range of factors—age, location, education, profession, salary, not to mention physical attributes like height and hair color. Grindr was an exception, because it requires less personal information.
Location is very potent, especially when you consider the use of Android Emulators that let you set your GPS to any place on the planet. Location can be placed right on the target company’s address, setting the radius for matching profiles as small as possible.
Conversely, we were able to find a given profile’s corresponding identity outside the online dating network through classic Open Source Intelligence (OSINT) profiling. Again, this is unsurprising. Many were just too eager to share more sensitive information than necessary (a goldmine for attackers). In fact, there’s even a previous research that triangulated people’s exact positions in real time based on their phone’s dating apps.
With the ability to locate a target and link them back to a real identity, all the attacker needs to do is to exploit them. We gauged this by sending messages between our test accounts with links to known bad sites. They arrived just fine and weren’t flagged as malicious.
With a little bit of social engineering, it’s easy enough to dupe the user into clicking on a link. It can be as vanilla as a classic phishing page for the dating app itself or the network the attacker is sending them to. And when combined with password reuse, an attacker can gain an initial foothold into a person’s life. They could also use an exploit kit, but since most use dating apps on mobile devices, this is somewhat more difficult. Once the target is compromised, the attacker can attempt to hijack more machines with the endgame of accessing the victim’s professional life and their company’s network.
Swipe right and get a targeted attack?
Indeed, such attacks are feasible—but do they actually happen? They do, in fact. Targeted attacks on the Israeli army early this year used provocative social network profiles as entry points. Romance scams are also nothing new—but how much of these are done on online dating networks?
We further explored by setting up “honeyprofiles”, or honeypots in the form of fake accounts. We narrowed the scope of our research down to Tinder, Plenty of Fish, OKCupid, and Jdate, which we selected because of the amount of personal information shown, the kind of interaction that transpires, and the lack of initial fees.
We then created profiles in various industries across different regions. Most dating apps limit searches to specific areas, and you have to match with someone who also ‘swiped right’ or ‘liked’ you. That meant we also had to like profiles of potentially real people. This led to some interesting scenarios: sitting at home at night with our families while casually liking every single new profile in range (yes, we have very understanding partners).
We also employed a few house rules for our research—play hard to get, but be open-minded:
- Never contact a person first
- Respond only with a specific message (to check if it’s a real person or someone who sends malicious links)
- Try to speed up the conversation; reply early with a link pointing to a benign social networking site to give attackers easier ways to respond with their own malicious link
- Try to be targeted; don’t target or even Catfish anyone
Here’s an example of the kind of messages we received:
Here’s a further illustration of our honeyprofiles:
- A Control Group comprising “average” men and women: profiles with basic interests, no job listings, and “normal” looks (at least in our eyes; the created group comprised “fives” on a scale of ten)
- A group of “average” IT admins/professionals in hospitals and military with work details posted on the profile
The goal was to familiarize ourselves to the quirks of each online dating network. We also set up profiles that, while looking as genuine as possible, would not overly appeal to normal users but entice attackers based on the profile’s profession. That let us establish a baseline for several locations and see if there were any active attacks in those areas. The honeyprofiles were created with specific areas of potential interest: medical admins near hospitals, military personnel near bases, etc.
Our takeaway: they’re not who you think they are
Profiles with specific job titles naturally attracted more attention. We also had our fair share of cheesy pickup lines and honest, good people connecting with us, but we never got a targeted attack.
Maybe because we didn’t like the right accounts. Perhaps no campaigns were active on the online dating networks and areas we chose during our research. This isn’t to say though that this couldn’t happen or isn’t happening—we know that it’s technically (and definitely) possible.
But what’s surprising is the amount of company information that can be gathered from an online dating network profile. Some require a Facebook profile it can connect to, while others just needed an email address to set up an account. Tinder, for instance, retrieves the user’s information on Facebook and shows this in the Tinder profile without the user’s knowledge. This data, which could’ve been private on Facebook, can be displayed to other users, malicious or otherwise.
For businesses that already have operational security policies restricting the information employees can divulge on social media—Facebook, LinkedIn, and Twitter, to name a few—they should also consider expanding this to online dating sites or apps. And as a user, you should report and un-match the profile if you feel like you are being targeted. This is easy to do on most online dating networks.
The same discretion should be done with email and other social media accounts. They’re easy to access, outside a company’s control, and a cash cow for cybercriminals. Just as you would with email, IM, and the web—think before you click. Dating apps and sites are no different. Don’t give away more information than what is necessary, no matter how innocuous they seem. A multilayered security solution that provides anti-malware and web-blocking features also helps, such as Trend Micro Mobile Security.
And if you’re stuck for an ice breaker this weekend—check out the best pickup line we received. You’re welcome!