Hackers are abusing the popular Tinder dating app to spread malware and survey scams using bots and clever social-engineering trickery.
Bots are luring users with tempting profiles and pictures using pictures from an Arizona-based photography studio, according to net security firm BitDefender. Some of these images have also been purloined for fake Facebook profiles.
“After users swipe the right button on Tinder to indicate that they like a profile, the bots engage users in automated conversations until they convince them to click on a dubious link,” explained Catalin Cosoi, chief security strategist at Bitdefender. “The name of the URL gives the impression of an official page of the dating app and for extra legitimacy scammers also registered it on a reputable .com domain.”
The scam is geo-specific: British users are lured to fraudulent surveys and dubious competitions for ASDA and Tesco vouchers, while Tinder users in the US are brought to the “Castle Clash” game download.
A typical bot-generated US lure message, republished on BitDefenders' HotForSecurity blog, reads:
Hey, how are you doing? I’m still recovering from last night :) Relaxing with a game on my phone, castle clash. Have you heard about it? http://tinderverified.com/castleclash[removed]. Play with me and you may get my phone number.
Bitdefender reported the issue to both Castle Clash developer IGG and the photography studio apparently victimised by picture theft.
Tinder is a location-based mobile app for iOS and Android that uses social graph information from Facebook to match users up. Tinder's "hot or not" easy swiping mechanism allows users to match themselves up with locals in their area. Privacy watchers, such as Appthority, have expressed privacy concerns over the app warning that it leaks more information than users might realise.
"Users viewing the profile to track down the exact geo-location of practically any user who has a public profile. Facebook IDs and the exact birth date of the app user can also be uncovered," Appthority warned last October. An experiment back in February revealed that Tinder could be used to triangulate the location of a target down to a precision of just 30 metres.
A security and privacy guide to help Tinder users from BitDefender can be found here.
George Anderson, director of product marketing at Webroot, said the "sophisticated" attack has the potential to hoodwink many love-struck marks.
“The Tinder bot is a sophisticated attack - to be able to trick people into thinking they are chatting with real people, hackers must have invested a considerable amount of time and tested lots of reply and response scripts to get a high success rate," Anderson explained. "The way the attack works is by connecting the bots via a Virtual App environment using the Chat Facility. At this stage the cybercriminals are lining-up a phishing attack using chat link instead of an email link, which is a common approach in social engineering attacks."
“Interestingly, it is much easier for Tinder to be able spot bots on its app than it is for the users. Those who would like to ascertain whether or not they are speaking with an actual person should use phone text shorthand, misspellings, no punctuation, etc. - things easily understood by a human but likely to lose context if being read by an AI,” he added. ®