We further explored by setting up “honeyprofiles”, or honeypots in the form of fake accounts.
We narrowed the scope of our research down to Tinder, Plenty of Fish, OKCupid, and Jdate, which we selected because of the amount of personal information shown, the kind of interaction that transpires, and the lack of initial fees.
They could also use an exploit kit, but since most use dating apps on mobile devices, this is somewhat more difficult.Once the target is compromised, the attacker can attempt to hijack more machines with the endgame of accessing the victim’s professional life and their company’s network.We also employed a few house rules for our research—play hard to get, but be open-minded: The goal was to familiarize ourselves to the quirks of each online dating network.We also set up profiles that, while looking as genuine as possible, would not overly appeal to normal users but entice attackers based on the profile’s profession.It can be as vanilla as a classic phishing page for the dating app itself or the network the attacker is sending them to.
And when combined with password reuse, an attacker can gain an initial foothold into a person’s life.
And as a user, you should report and un-match the profile if you feel like you are being targeted. The same discretion should be done with email and other social media accounts.
They’re easy to access, outside a company’s control, and a cash cow for cybercriminals.
To bear out the risks, we delved into various online dating networks, which initially included Tinder, Plenty of Fish, Jdate, OKCupid, Grindr, Coffee meets Bagel, and Love Struck.
The first stage of our research seeks to answer these main questions: In almost all of the online dating networks we explored, we found that if we were looking for a target we knew had a profile, it was easy to find them.
They arrived just fine and weren’t flagged as malicious.