Feeds

Left swipe! That hot Tinder babe is a malware-flinging ROBOT

Hackers burn location-baring dating app's users

5 things you didn’t know about cloud backup

Hackers are abusing the popular Tinder dating app to spread malware and survey scams using bots and clever social-engineering trickery.

Bots are luring users with tempting profiles and pictures using pictures from an Arizona-based photography studio, according to net security firm BitDefender. Some of these images have also been purloined for fake Facebook profiles.

“After users swipe the right button on Tinder to indicate that they like a profile, the bots engage users in automated conversations until they convince them to click on a dubious link,” explained Catalin Cosoi, chief security strategist at Bitdefender. “The name of the URL gives the impression of an official page of the dating app and for extra legitimacy scammers also registered it on a reputable .com domain.”

The scam is geo-specific: British users are lured to fraudulent surveys and dubious competitions for ASDA and Tesco vouchers, while Tinder users in the US are brought to the “Castle Clash” game download.

A typical bot-generated US lure message, republished on BitDefenders' HotForSecurity blog, reads:

Hey, how are you doing? I’m still recovering from last night :) Relaxing with a game on my phone, castle clash. Have you heard about it? http://tinderverified.com/castleclash[removed]. Play with me and you may get my phone number.

Bitdefender reported the issue to both Castle Clash developer IGG and the photography studio apparently victimised by picture theft.

Tinder is a location-based mobile app for iOS and Android that uses social graph information from Facebook to match users up. Tinder's "hot or not" easy swiping mechanism allows users to match themselves up with locals in their area. Privacy watchers, such as Appthority, have expressed privacy concerns over the app warning that it leaks more information than users might realise.

"Users viewing the profile to track down the exact geo-location of practically any user who has a public profile. Facebook IDs and the exact birth date of the app user can also be uncovered," Appthority warned last October. An experiment back in February revealed that Tinder could be used to triangulate the location of a target down to a precision of just 30 metres.

A security and privacy guide to help Tinder users from BitDefender can be found here.

George Anderson, director of product marketing at Webroot, said the "sophisticated" attack has the potential to hoodwink many love-struck marks.

“The Tinder bot is a sophisticated attack - to be able to trick people into thinking they are chatting with real people, hackers must have invested a considerable amount of time and tested lots of reply and response scripts to get a high success rate," Anderson explained. "The way the attack works is by connecting the bots via a Virtual App environment using the Chat Facility. At this stage the cybercriminals are lining-up a phishing attack using chat link instead of an email link, which is a common approach in social engineering attacks."

“Interestingly, it is much easier for Tinder to be able spot bots on its app than it is for the users. Those who would like to ascertain whether or not they are speaking with an actual person should use phone text shorthand, misspellings, no punctuation, etc. - things easily understood by a human but likely to lose context if being read by an AI,” he added. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.