The New Generation of Invisible Bot Attacks. Learn to Detect and Stop Them.
Back to posts

Romance Meets Bad Finance: Don’t Date Bots

July 24, 2017
  • Inbar Raz

Based on our Article in DARKReading

Blog updated on November 13th, 2017

Delusional Dating: The beautiful woman asking a man to click on malware may have neither heart nor soul. Welcome to the ultimate cat-fishing experience.

There’s only one thing wrong with the attractive women – models and designers all - who quickly swarm to fellows venturing onto dating apps – they have an existential problem: they don’t exist. The relationship ends at your credit card or with a malware infection, every time.

So many bots, so little time.

Here’s the online dating experience men might encounter. They fill out a profile, and are quickly matched to several women who look quite interesting, and begin sending him text messages.

Lots of text messages, nearly identical, inviting yet vague.. These bot-ladies may have attended the same college, or work for the same agency in London. It won’t be long before they write something like: “Want to meet? Check this out.”

Hope + Deception = The World’s Highest Conversion Rate

70% of men who unexpectedly receive a link sent by a bot posing as an attractive woman, will click it. That’s what PerimeterX observed when we researched top dating sites. This 70% click-through rate may be the highest conversion rate in the world, and it explains why dating bots pay off for hackers.

Bots and Dating Sites: A Match Made in Hacker Heaven

Between 22% and 35% of relationships now start online, and malicious bots are estimated to make up 29% of traffic on enterprise sites, according to a report quoted in Digital Trends. It appears inevitable that online dating and bots would intersect in a big way – and no doubt cybercriminals are delighted that the target of the scam is operating on emotion and expects to spend money. . Hackers place bots on dating sites to coax personal and financial data from consumers, and sometimes defraud them. Another motive is simply to divert traffic that the dating site has worked hard to attract.

The Dawn of Suspicion

My first clue that dating sites such as Tinder are infested with bots: Many female profiles in specific cities (Copenhagen and Denver, for example) share overlapping attributes – they have the same job or employer, often in a different city or country, or attend just a few of a limited set of colleges. Invariably, their photos portray them as above average in appearance.

Why Bots Want to “Date” You

Dating bots are extroverted , quick to match up with men who have just posted profiles , and seem rather compulsive about inviting men to click on links they send. The links lure men off to porn sites, or URLs where they can be tricked into downloading malware or giving up money or personal data.

We found the same bot “colonies”on other dating sites, so it’s an industry issue rather than specific to one dating company.

Human to Bot: You Used Me!

Relatively primitive bots can make matches with other users of the targeted gender, start a text or email conversation, and ask target victims (men) to click a link that leads to paid content sites (aka porn). Newer, advanced bots can vary their behavior to be more convincing companions.

Men who are misled by these bots may be convinced to enter their credit card data on a site they wouldn’t ordinarily visit, or a phony “profile verification” service, and then be too embarrassed to report that they were tricked into accepting a porn site subscription.

Scammed: Men’s Money, Women’s Faces

We alerted a non-bot woman that her photographs had been used in bot profiles, enabling her to have her images removed from the site. For every bot profile, there’s a face that belongs to a real person who probably is not aware her or his photos are being misused.

This happened to thousands of Tinder users in California whose images were included in a public-domain facial data set without their knowledge. Using automated tools, scam artists copied from Tinder 20,000 profile images of women and 20,000 of men from Tinder.

Most Dating Sites Do Not Like Bots

Bots have a negative impact on dating site traffic, advertising revenue, and subscription fees. A site’s reputation suffers when male customers discover that a large portion of attractive women contacting men on the site are the kind you cannot bring home to meet Mom, because they don’t exist. Dating bots can subvert the customer experience.

In addition, a dating site might be liable if a user could prove that a malware infection or fraud loss resulted from links sent to him via the site.

Human Profile-Checkers Not the Answer

Dating sites have used humans to verify that new profiles are legitimate and meet guidelines. This approach is unreliable and does not scale. People, it turns out, aren’t very effective at catching bot profiles.

Even if it’s challenging, it is up to the dating sites to prevent bots from contacting their customers. Their goal should be to maintain a safe environment for their customers and provide an honest forum for new relationships. That in turn will sustain their traffic and revenue.

How to Detect Bots

If simpler bots are used to chat with human customers, they may be caught with more traditional defenses. Newer, more sophisticated bots are much more elusive and can be directed to vary their behavior, making them difficult or impossible to detect using signature-based security tools.

Of course, dating sites want to let legitimate customers use their sites unimpeded. They specifically want to prevent automated creation of fake accounts and profiles, and also have the ability to intervene the moment a legitimate profile begins to act like a bot – for example, by employing automated methods to communicate with unsuspecting users.

Dating sites can now make use of behavior-based approaches to bot detection. One such method, called web behavior analytics (WBA), learns how human users interact with each website and is then able to pick out even minor deviations from human behavior. Most human users go through predictable amounts of random behavior and act in seconds, whereas bots may select matches with far less hesitation. Of course, cybercriminals have realized that security tools are looking for the consistent timing of bot tools, and have programmed in randomness. WBA can also step up its game, learning how much randomness is human and how much is bot-like.

The best practice is to check the profile of every user and all their interactions with the site, in real time. It may lead to fewer imaginary supermodels chasing after average guys — but will also leave bots out of the dating game and help dating sites protect their reputation and users.

Back to posts comments powered by Disqus