They arrived just fine and weren’t flagged as malicious.
With a little bit of social engineering, it’s easy enough to dupe the user into clicking on a link.
People are increasingly taking to online dating to find relationships—but can they be used to attack a business?
The kind (and amount) of information divulged—about the users themselves, the places they work, visit or live—are not only useful for people looking for a date, but also to attackers who leverage this information to gain a foothold into your organization.
Profiles with specific job titles naturally attracted more attention.
We also had our fair share of cheesy pickup lines and honest, good people connecting with us, but we never got a targeted attack. Perhaps no campaigns were active on the online dating networks and areas we chose during our research.
We narrowed the scope of our research down to Tinder, Plenty of Fish, OKCupid, and Jdate, which we selected because of the amount of personal information shown, the kind of interaction that transpires, and the lack of initial fees.Indeed, such attacks are feasible—but do they actually happen? Targeted attacks on the Israeli army early this year used provocative social network profiles as entry points.Romance scams are also nothing new—but how much of these are done on online dating networks?Location is very potent, especially when you consider the use of Android Emulators that let you set your GPS to any place on the planet.Location can be placed right on the target company’s address, setting the radius for matching profiles as small as possible.
Conversely, we were able to find a given profile’s corresponding identity outside the online dating network through classic Open Source Intelligence (OSINT) profiling. Many were just too eager to share more sensitive information than necessary (a goldmine for attackers).