Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Tinder Spam: A Year Later, Spammers Still Flirting with Mobile Dating App

Spammers use bots on dating app to convince users to install games and sign up for adult dating and webcam sites.
Created: 15 Jul 2014 16:12:08 GMT • Updated: 04 Aug 2014 21:00:10 GMT • Translations available: Español
Satnam Narang's picture
+2 2 Votes
Login to vote

One year ago, we warned users about one of the first instances of adult webcam spam on the up-and-coming mobile dating application Tinder. We also warned about an impending flood of spam bots once an Android version was released. Now, a year later, we have observed a number of different spam campaigns using fake profiles to flirt with users of the service.

Adult webcam spam
The first spam campaign we identified ultimately set the tone for future campaigns. These spam bots claimed to offer an adult webcam session and asked users to click on a link to another website. The spammers iterated their efforts; modifying their scripts, switching short URL services (from goo.gl to bit.ly), and linking to different webcam sites. Eventually, these bots were set up to get users to move the conversation over to Kik messenger to close the deal.

Fig1_14.png

Figure 1. One of the first instances of spam bots on Tinder

While not as prominent as before, spam bots hoping to convince users to visit adult webcam sites still persist on Tinder.

Mobile application/game downloads
Another spam campaign we observed on Tinder involves mobile apps, particularly games. In April 2014, Sarah Perez of TechCrunch wrote about spam bots promoting a game called Castle Clash.

These bots are scripted similarly to previous spam bots. Instead of directing users to adult webcam sites, they ask Tinder users if they have ever played Castle Clash before. Once a user responds, the spam bots include a link to sites like tinderverified.com and tease the user by saying, “Play a bit with me and you may get my phone number. :)”

Fig2_8.png

Figure 2. Recent spam campaign using Castle Clash as a lure

Since the campaign was revealed on TechCrunch, the spam bot script changed, as seen in Figure 2, while the campaign itself has all but disappeared – for now.

Interestingly, one of the more recent adult webcam spam bots repurposed the Castle Clash script. The spam bot used the same username (TravelGram92) but instead linked to an adult webcam site called “Slut Roulette”.

Fig3_7.png

Figure 3.  Castle Clash script repurposed and used for adult webcam spam

Fake prostitution profiles
In recent months, the overwhelming majority of spam on Tinder involves provocative photographs of women with a text overlay that incorporates terms used in online ads for prostitution. The overlay also includes a URL where the user can connect with these supposed prostitutes.

Fig4_6.png

Figure 4. Example of fake prostitute profile on Tinder

Each of these bogus profiles incorporate terms like GFE, which means Girlfriend Experience, along with a price for each service (US$100 per hour). By including these terms in the photos, the spammers can evade detection from spam filters searching for these phrases within the biography section of Tinder profiles. Historically, these image overlays contained a lot of information. Now, each overlay is shorter and straight to the point.

Fig5_2.png

Figure 5. Historical overview of fake prostitution profiles on Tinder

If a user manually inputs one of the URLs listed on the image overlay into their address bar and visits the site, they will be redirected to an explicit personals website for casual dating and hookups.

Tinder spam and affiliate programs
Each campaign shares one important thread – affiliate programs. Whether it is adult webcam spam, mobile app downloads, or casual dating and hookup sites, each of the promoted destinations offer spammers money for converting leads.

Fig6_0.png

Figure 6. Exact same user name and profile image is used by explicit personal site

Some of the sites pay $6.00 per lead for a successful sign-up and up to $60 if a lead becomes a premium member.

Measuring effectiveness
While we do not have insight into the conversion of leads and premium memberships, we do have some statistics about click rates for some campaigns. For instance, from the end of January 2014 until mid-April 2014, a campaign associated with a site called blamcams resulted in nearly half a million clicks across seven URLs. Depending on the offers given by the affiliate program and the number of successful conversions of leads, this particular spammer likely earned quite a bit of money.

Protip: Don’t get burned
Whenever you encounter a fake profile, you should report it to Tinder. When you click on a profile, there will be three red dots underneath the profile image. By clicking on this icon, you will be presented with an option to report that user. Selecting the report option will lead to a dialog window with three options. From here, select the “Feels like SPAM” option to report the fake profile.

Fig7.png

Figure 7. How to report a fake profile on Tinder

Despite the influx of spam bots and fake profiles, Tinder receives over 600 million swipes per day, making it one of the most popular location-based dating applications. We recommend users to continue to keep an eye out for fake profiles and spam bots and report them accordingly.