Over the last few years, we’ve reported on a number of spam campaigns spreading through various social networking sites and applications. As with any social service, as it becomes popular, spammers look for ways to take advantage of this popularity by targeting the users of these services.
I’ve previously blogged about the popularity of online dating sites and highlighted an example of a malicious campaign using them as part of its lure. Today, one of the most popular online dating services is not a website, but a mobile application called Tinder.
Tinder is a mobile app that finds other users who like you nearby and connects you with them if you’re both interested. It is a very simple premise, which may explain why it has become one of the more popular dating services around. According to recent reports, Tinder users have been matched 50 million times and have provided 4.5 billion ratings on the service.
Recently, a number of users have reported that they have been finding spam accounts using the service.
Figure 1. Example of fake accounts on Tinder
Further research confirmed that a number of spam accounts have been created on Tinder.
Figure 2. Mutual Matches notification
Just as expected, when a user likes one of these spam accounts they’re instantly notified of the match. The spam accounts don’t seem to respond unless the user engages the account first.
The spam accounts follow a similar script when communicating with Tinder users.
Figure 3. Spam bot auto responses are the same
While engaging one of these spam accounts, I found a glitch.
Figure 4. Spam bot aged two years instantly
The spam bot seemed to report the wrong age twice, even though the spam account profile listed its age as 26.
Here is what the bot’s script typically looks like (glitch included):
Bot: hey … have we spoken before? 22..female here…you ?
Bot: hey ….. have we chatted before?? 24..female here…..u?
Bot: i’m sorry…I get to be forgetful at times! how’re u??
Bot: Just got online….long week been kind of busy! But I’m feelin’ aroused!! So what’s up …. Wanna have some fun ?? :)
Bot: I need a guy who can [REMOVED]..have u ever [REMOVED]?? hahaa
Bot: going to change my underwear….. want to see?? =)
At this point, the spam bot starts to lure the user in with the promise of a webcam session.
Figure 5. Spam bot begins the lure
From here, the spam bot will provide a shortened URL and instructs the user on how to proceed in order to gain access to her webcam session.
Figure 6. Landing page used in Tinder spam
If the user accepts the invitation on the landing page, they’re redirected to another site that asks them to sign-up, requesting personal information as well as a credit card number reportedly for age verification.
Figure 7. Membership requires credit card information
It’s interesting to note that the spam bot pre-emptively answers concerns about the website and the credit card information.
Figure 8. Spam bot responds to concerns
The bot glitches again as it changed part of its script from “sexy” to “handsome” when checking to see if the user has joined the site.
Figure 9. Spam bot glitch and request for “gold”
The spam bot also makes a request for some “gold” once the user joins the site. It’s likely that “gold” is a reference to currency used on the site, which a user may need to purchase.
How do the scammers monetize here? Affiliate programs are most often the drivers for much of the spam circulating on social networking sites. In this particular case, it’s best to “read the fine print,” as the old adage says.
Figure 10. Free access includes an upgrade to platinum membership
By default, the checkbox for “Upgrade me to a platinum membership” is selected. If this checkbox remains selected, there are two additional sites that the user is signed up for. The sites provide trial memberships of 10 days and 7 days respectively. If the user doesn’t cancel these accounts, they are then billed up to US$80 a month. Unfortunately, the user is often unaware that they are signing up for these additional sites and the scammers will be rewarded through the affiliate programs they signed up for.
Figure 11. Blocking spam accounts on Tinder
Currently, there is no way to report spam accounts within the Tinder application. However, the service does offer a way to block users. Therefore, users are advised to block any spam account they’ve been matched with.
Figure 12. Tinder for Android is on its way
The spam I’ve found on Tinder seems to be limited at this time. However, there is a concern that the service will see an influx of more spam bot accounts. While Tinder is only available for the iPhone at this time, there are plans to bring the application to Android devices. One trend I’ve observed in the last year is that following the introduction of an Android application, the volume of spam on popular services like these typically increases.