We’ve all seen it: a beautiful woman with a stunning figure dashes the male lead character of an action movie, drinks wine and engages in a smart, funny discussion. They go back to the lead’s cozy apartment, and they have passionate sex. They both look great, and the chemistry is undeniable. They even look promising as a couple. But when the lead goes to the bathroom, she suddenly makes a fierce, serious face, and goes through his stuff. She appears to be looking for something, and we get a sense that it’s not the first time she has done this. Later on, we find out that she is a spy working for the Russians, trying to sniff valuable information that can be used to rein terror against the U.S. government. Lol.
James Bond, Mission Impossible, and many of its counterparts have repeatedly shown us the risks of dating strangers who are too good to be true. It makes you wonder how it’s going to play out if action movies use the context of today’s dating scene.
As Tinder accumulated 25 million registered members in 2016, it’s going to be hell a lot easier for spies to steal information as young people are clearly turning to online dating apps to find relationships, and short-term hookups. As chat boxes become the venue for the initial stages of the getting-to-know part of dating, the gates for fictional spies are wider than it shouldn’t be.
A new research conducted by Trend Micro blurs the line of fiction and non-fiction. The research shows the risks of divulging the kind and amount of information—about the users themselves, the places they work, visit or live—to strangers looking for a date, and how attackers online can leverage this information to penetrate an organization’s network.
Trend Micro researchers probed into various online dating networks, which initially included Tinder, Plenty of Fish, Jdate, OKCupid, Grindr, Coffee meets Bagel, and LoveStruck.
In almost all of the explored online dating networks, it was discovered that looking for a target that has an existing profile was easy to find. Online dating networks allow users to filter people via age, location, education, profession, salary, not to mention physical attributes like height and hair color. However, Grindr was an exception, because it requires less personal information.
Location also plays a key role, considering that the use of Android Emulators let users set GPS to any place on the planet. Location can be placed right on the target company’s address, setting the radius for matching profiles as small as possible.
On the other hand, the researchers were able to find a given profile’s corresponding identity outside the online dating network through classic Open Source Intelligence (OSINT) profiling. Many were just too eager to share more sensitive information than necessary, which is jackpot for attackers.
Locating a target and linking them back to a real identity, all the attacker needs to do is to exploit them. By sending messages between test accounts with links to known bad sites, they arrived just fine and weren’t identified as threats.
With the help of social engineering, it showed how easy it is to trick the user into clicking on a link. And when combined with password reuse, an attacker can gain an initial foothold into a person’s life. An exploit kit can also be used, but since most use dating apps on mobile devices, this can be difficult. Once the target is compromised, the attacker can attempt to hijack more machines with the goal of accessing the victim’s professional life and their company’s network.
For more details about the research, click here.