The kind (and amount) of information divulged—about the users themselves, the places they work, visit or live—are not only useful for people looking for a date, but also to attackers who leverage this information to gain a foothold into your organization. To bear out the risks, we delved into various online dating networks, which initially included Tinder, Plenty of Fish, Jdate, OKCupid, Grindr, Coffee meets Bagel, and LoveStruck. The first stage of our research seeks to answer these main questions: Location is very potent, especially when you consider the use of Android Emulators that let you set your GPS to any place on the planet. Location can be placed right on the target company’s address, setting the radius for matching profiles as small as possible. Conversely, we were able to find a given profile’s corresponding identity outside the online dating network through classic Open Source Intelligence (OSINT) profiling. Again, this is unsurprising. Many were just too eager to share more sensitive information than necessary (a goldmine for attackers).
The 5 Best Online Dating Sites in China Visa Hunter
In fact, there’s even a previous research that triangulated people’s exact positions in real time based on their phone’s dating apps. With the ability to locate a target and link them back to a real identity, all the attacker needs to do is to exploit them. We gauged this by sending messages between our test accounts with links to known bad sites. They arrived just fine and weren’t flagged as malicious. With a little bit of social engineering, it’s easy enough to dupe the user into clicking on a link. It can be as vanilla as a classic phishing page for the dating app itself or the network the attacker is sending them to. And when combined with password reuse, an attacker can gain an initial foothold into a person’s life.
They could also use an exploit kit, but since most use dating apps on mobile devices, this is somewhat more difficult. Once the target is compromised, the attacker can attempt to hijack more machines with the endgame of accessing the victim’s professional life and their company’s network. We further explored by setting up “honeyprofiles”, or honeypots in the form of fake accounts. We narrowed the scope of our research down to Tinder, Plenty of Fish, OKCupid, and Jdate, which we selected because of the amount of personal information shown, the kind of interaction that transpires, and the lack of initial fees. We then created profiles in various industries across different regions. That meant we also had to like profiles of potentially real people. This led to some interesting scenarios:
19 too young online dating
sitting at home at night with our families while casually liking every single new profile in range (yes, we have very understanding partners). We also employed a few house rules for our research—play hard to get, but be open-minded: The goal was to familiarize ourselves to the quirks of each online dating network. We also set up profiles that, while looking as genuine as possible, would not overly appeal to normal users but entice attackers based on the profile’s profession. That let us establish a baseline for several locations and see if there were any active attacks in those areas. The honeyprofiles were created with specific areas of potential interest: medical admins near hospitals, military personnel near bases, etc.
Maybe because we didn’t like the right accounts. Perhaps no campaigns were active on the online dating networks and areas we chose during our research. This isn’t to say though that this couldn’t happen or isn’t happening—we know that it’s technically (and definitely) possible. But what’s surprising is the amount of company information that can be gathered from an online dating network profile. Tinder, for instance, retrieves the user’s information on Facebook and shows this in the Tinder profile without the user’s knowledge. This data, which could’ve been private on Facebook, can be displayed to other users, malicious or otherwise. For businesses that already have operational security policies restricting the information employees can divulge on social media—Facebook, LinkedIn, and Twitter, to name a few—they should also consider expanding this to online dating sites or apps.
And as a user, you should report and un-match the profile if you feel like you are being targeted. This is easy to do on most online dating networks. They’re easy to access, outside a company’s control, and a cash cow for cybercriminals. Dating apps and sites are no different. Don’t give away more information than what is necessary, no matter how innocuous they seem. A multilayered security solution that provides anti-malware and web-blocking features also helps, such as Trend Micro Mobile Security. And if you’re stuck for an ice breaker this weekend—check out the best pickup line we received.