Feeds

Left swipe! That hot Tinder babe is a malware-flinging ROBOT

Hackers burn location-baring dating app's users

Build a business case: developing custom apps

Hackers are abusing the popular Tinder dating app to spread malware and survey scams using bots and clever social-engineering trickery.

Bots are luring users with tempting profiles and pictures using pictures from an Arizona-based photography studio, according to net security firm BitDefender. Some of these images have also been purloined for fake Facebook profiles.

“After users swipe the right button on Tinder to indicate that they like a profile, the bots engage users in automated conversations until they convince them to click on a dubious link,” explained Catalin Cosoi, chief security strategist at Bitdefender. “The name of the URL gives the impression of an official page of the dating app and for extra legitimacy scammers also registered it on a reputable .com domain.”

The scam is geo-specific: British users are lured to fraudulent surveys and dubious competitions for ASDA and Tesco vouchers, while Tinder users in the US are brought to the “Castle Clash” game download.

A typical bot-generated US lure message, republished on BitDefenders' HotForSecurity blog, reads:

Hey, how are you doing? I’m still recovering from last night :) Relaxing with a game on my phone, castle clash. Have you heard about it? http://tinderverified.com/castleclash[removed]. Play with me and you may get my phone number.

Bitdefender reported the issue to both Castle Clash developer IGG and the photography studio apparently victimised by picture theft.

Tinder is a location-based mobile app for iOS and Android that uses social graph information from Facebook to match users up. Tinder's "hot or not" easy swiping mechanism allows users to match themselves up with locals in their area. Privacy watchers, such as Appthority, have expressed privacy concerns over the app warning that it leaks more information than users might realise.

"Users viewing the profile to track down the exact geo-location of practically any user who has a public profile. Facebook IDs and the exact birth date of the app user can also be uncovered," Appthority warned last October. An experiment back in February revealed that Tinder could be used to triangulate the location of a target down to a precision of just 30 metres.

A security and privacy guide to help Tinder users from BitDefender can be found here.

George Anderson, director of product marketing at Webroot, said the "sophisticated" attack has the potential to hoodwink many love-struck marks.

“The Tinder bot is a sophisticated attack - to be able to trick people into thinking they are chatting with real people, hackers must have invested a considerable amount of time and tested lots of reply and response scripts to get a high success rate," Anderson explained. "The way the attack works is by connecting the bots via a Virtual App environment using the Chat Facility. At this stage the cybercriminals are lining-up a phishing attack using chat link instead of an email link, which is a common approach in social engineering attacks."

“Interestingly, it is much easier for Tinder to be able spot bots on its app than it is for the users. Those who would like to ascertain whether or not they are speaking with an actual person should use phone text shorthand, misspellings, no punctuation, etc. - things easily understood by a human but likely to lose context if being read by an AI,” he added. ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.