Classic online dating sites
This data, which could’ve been private on Facebook, can be displayed to other users, malicious or otherwise.For businesses that already have operational security policies restricting the information employees can divulge on social media—Facebook, Linked In, and Twitter, to name a few—they should also consider expanding this to online dating sites or apps.Some require a Facebook profile it can connect to, while others just needed an email address to set up an account.Tinder, for instance, retrieves the user’s information on Facebook and shows this in the Tinder profile without the user’s knowledge.To bear out the risks, we delved into various online dating networks, which initially included Tinder, Plenty of Fish, Jdate, OKCupid, Grindr, Coffee meets Bagel, and Love Struck.The first stage of our research seeks to answer these main questions: In almost all of the online dating networks we explored, we found that if we were looking for a target we knew had a profile, it was easy to find them.Profiles with specific job titles naturally attracted more attention.We also had our fair share of cheesy pickup lines and honest, good people connecting with us, but we never got a targeted attack. Perhaps no campaigns were active on the online dating networks and areas we chose during our research.
Grindr was an exception, because it requires less personal information.We also employed a few house rules for our research—play hard to get, but be open-minded: The goal was to familiarize ourselves to the quirks of each online dating network.We also set up profiles that, while looking as genuine as possible, would not overly appeal to normal users but entice attackers based on the profile’s profession.That meant we also had to like profiles of potentially real people.
This led to some interesting scenarios: sitting at home at night with our families while casually liking every single new profile in range (yes, we have very understanding partners).
We further explored by setting up “honeyprofiles”, or honeypots in the form of fake accounts.