Researchers say that it's easy to leverage users' dating app data to find their identities outside the service and find them on other online services like Facebook, using OSINT profiling techniques.
Researchers say that it's easy to leverage users' dating app data to find their identities outside the service and find them on other online services like Facebook, using OSINT profiling techniques.

Users of online dating apps and the businesses they work for could end up the target of spear phishing and social engineering scams, especially when these services make one's personal information accessible to virtually anyone, Trend Micro researchers warned in a blog post on Thursday.

Looking at seven different dating apps, Trend Micro found that in almost all cases, it is very easy to find the dating app profile of a prominent corporate executive, government official, or other public figure (assuming they registered for one, of course).

Potential scammers can even use an app's filters to request dating partners who share the same physical traits, age, profession and precise location of their intended targets, in order to vastly improve the odds that their intended scam victim will be listed among the matching profiles. Trend Micro tested out this scenario with Tinder, Plenty of Fish, Jdate, OKCupid, Grindr, Coffee meets Bagel, and LoveStruck, and found Grindr to be the only exception because the service requires less personal information from its users.

Likewise, the researchers also found it easy to leverage users' dating account data to determine their identities outside of the service, and track them across other online services such as Facebook and LinkedIn, using basic Open Source Intelligence (OSINT) profiling techniques.

"Many were just too eager to share more sensitive information than necessary," the report stated, regarding the app users. But in other cases, it was the app itself asking for a "surprising" amount of information, said Trend Micro, noting that some apps require a Facebook profile to connect to in order to set up an account. Tinder even includes users' Facebook information their dating profiles, the blog post added, even though on Facebook that same data may be private.

Armed with key personal information, attackers can next attempt to exploit select users in a variety of targeted scams.

"With a little bit of social engineering, it's easy enough to dupe the user into clicking on a link. It can be as vanilla as a classic phishing page for the dating app itself or the network the attacker is sending them to," the report states. "And when combined with password reuse, an attacker can gain an initial foothold into a person's life... Once the target is compromised, the attacker can attempt to hijack more machines with the endgame of accessing the victim's professional life and their company's network."

After setting up numerous fake accounts, Trend Micro researchers also learned that the dating apps do not appear to have any mechanism to stop users from sending each other malicious links to sites that could potentially compromise an individual's device or credentials.

SC has requested comment from the companies behind all seven of the studied dating apps, and will add their responses as they come in.

Looking to prove that such schemes do not just exist in theory, Trend Micro set up various honeypot accounts on four of the dating networks, making up false profiles that featured professions and locations that might be enticing to an attacker (i.e. medical admins near hospitals, military personnel near bases). However, the effort came up empty, as no scammers bit on the opportunity.

Regardless, there have already been reports of attackers who search online services for specific groups of users, in order to trick them into downloading malware. As Trend Micro notes, Israeli Defense Forces reported earlier this year that Hamas operatives have been creating fake Facebook profiles, featuring photos of attractive women, in order to chat with Israeli soldiers and convince them to download an app that is actually malware.

"Maybe... we didn't like the right accounts. Perhaps no campaigns were active on the online dating networks and areas we chose during our research," the blog post stated. "This isn't to say though that this couldn't happen or isn't happening – we know that it's technically (and definitely) possible."