Feeds

Left swipe! That hot Tinder babe is a malware-flinging ROBOT

Hackers burn location-baring dating app's users

Intelligent flash storage arrays

Hackers are abusing the popular Tinder dating app to spread malware and survey scams using bots and clever social-engineering trickery.

Bots are luring users with tempting profiles and pictures using pictures from an Arizona-based photography studio, according to net security firm BitDefender. Some of these images have also been purloined for fake Facebook profiles.

“After users swipe the right button on Tinder to indicate that they like a profile, the bots engage users in automated conversations until they convince them to click on a dubious link,” explained Catalin Cosoi, chief security strategist at Bitdefender. “The name of the URL gives the impression of an official page of the dating app and for extra legitimacy scammers also registered it on a reputable .com domain.”

The scam is geo-specific: British users are lured to fraudulent surveys and dubious competitions for ASDA and Tesco vouchers, while Tinder users in the US are brought to the “Castle Clash” game download.

A typical bot-generated US lure message, republished on BitDefenders' HotForSecurity blog, reads:

Hey, how are you doing? I’m still recovering from last night :) Relaxing with a game on my phone, castle clash. Have you heard about it? http://tinderverified.com/castleclash[removed]. Play with me and you may get my phone number.

Bitdefender reported the issue to both Castle Clash developer IGG and the photography studio apparently victimised by picture theft.

Tinder is a location-based mobile app for iOS and Android that uses social graph information from Facebook to match users up. Tinder's "hot or not" easy swiping mechanism allows users to match themselves up with locals in their area. Privacy watchers, such as Appthority, have expressed privacy concerns over the app warning that it leaks more information than users might realise.

"Users viewing the profile to track down the exact geo-location of practically any user who has a public profile. Facebook IDs and the exact birth date of the app user can also be uncovered," Appthority warned last October. An experiment back in February revealed that Tinder could be used to triangulate the location of a target down to a precision of just 30 metres.

A security and privacy guide to help Tinder users from BitDefender can be found here.

George Anderson, director of product marketing at Webroot, said the "sophisticated" attack has the potential to hoodwink many love-struck marks.

“The Tinder bot is a sophisticated attack - to be able to trick people into thinking they are chatting with real people, hackers must have invested a considerable amount of time and tested lots of reply and response scripts to get a high success rate," Anderson explained. "The way the attack works is by connecting the bots via a Virtual App environment using the Chat Facility. At this stage the cybercriminals are lining-up a phishing attack using chat link instead of an email link, which is a common approach in social engineering attacks."

“Interestingly, it is much easier for Tinder to be able spot bots on its app than it is for the users. Those who would like to ascertain whether or not they are speaking with an actual person should use phone text shorthand, misspellings, no punctuation, etc. - things easily understood by a human but likely to lose context if being read by an AI,” he added. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.