In July, cybersecurity firm Symantec issued a critical report on the flood of Tinder spam bots, who use fake profiles to flirt with users and direct them to adult webcam sites.
In response, Tinder released a technical update meant to cut down the number of spam profiles. However, recent research at Pindrop Security shows that the update only addresses one vector of the attack, and has not actually slowed the higher-level spam campaign.
As part of our Phone Reputation Service (PRS), Pindrop monitors online phone spam complaints, aggregating data on the phone numbers associated with spam. Researchers use topic modeling algorithms to analyze complaint comments and identify new and popular phone scams.
In early August, Pindrop’s PRS Topic Modeler picked up signs of a new scam involving Tinder. The data clearly shows that Tinder related phone spam complaints began to appear immediately following Tinder’s technical update.
The graph above shows the percentage of total phone scam complaints related to Tinder. Pindrop’s Topic Modeler did not find any Tinder related complaints prior to August 2014. By September, Tinder scams made up .31% of total phone scams being tracked, making it the 14th most popular phone scam of the month.
The implication is that Tinder’s technical update did not eliminate the spam bot profiles, but rather only prevented them from sending the spam links through the app. Instead of shutting down the bots, the spammers simply changed their script, asking for the victim’s phone numbers and then sending the spam links via text message.
This is a very common phenomenon observed by Pindrop. When the security of the online channel is improved, fraudsters switch to the phone channel, which has historically been under-protected. This lack of security innovation on the phone channel makes the phone a preferred vector for financial attacks.
The Tinder phone spam complaints are yet another example of the connection between cybercrime and phone fraud. Fraudsters today adapt quickly to changing technology and security measures and are very capable of launching a multi-pronged spam attack – much like their cybercriminal counterparts.
-Raj Bandyopadhyay and Valerie Bradford