Users of dating apps – like Tinder, Match and Bumble – should be on the lookout for investment-fraud scammers.
Cybercriminals are taking advantage of a surge in dating app users with a sophisticated fraud scheme, which convinces victims to join in on an investment opportunity – and ultimately drains their wallets.
The social isolation of the COVID-19 pandemic is driving many to online interactions – notably to online dating apps such as Tinder, Bumble, Match and more. This is providing scammers with a ripe target for a recent investment scam, warned the International Criminal Police Organization (Interpol) in an advisory released Tuesday.
“Interpol’s Financial Crimes unit has received reports from around the world of this scam and is encouraging dating app users to be vigilant, be skeptical and be safe when entering into online relationships,” according to Interpol, in a “Purple Notice” advisory sent to 194 countries. A Purple Notice is issued by Interpol to provide information on modus operandi, objects, devices and concealment methods used by criminals.
In the first stages of the scam, the scammers establish a relationship with the victims via a dating app (Interpol did not specify which specific dating app platforms are leveraged by attackers).
“Once communication becomes regular and a certain level of trust is established, criminals share investment tips with their victims and encourage them to join a scheme,” according to Interpol.
They then convince the victims to download an app, purporting to be a trading app, and open an account. From there, victims are convinced by the scammers to purchase various “financial products” and work their way up a so-called investment chain. They are made to believe they can reach “gold” or “VIP” status, said Interpol.
Interpol did not provide further information about the malicious application, other than to say that attackers were detailed in disguising the app as legitimate: “As is often the case with such fraud schemes, everything is made to look legitimate,” said Interpol. “Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.”
However, after scamming victims out of a certain amount of cash, one day all contact stops and victims are locked out of their accounts.
Hank Schless, senior manager of security solutions at Lookout, told Threatpost that malicious attacks launched through dating app platforms – like scams or phishing – highlights how mobile apps with a messaging function can be leveraged by malicious actors.
“Since there’s already a picture, profile and name associated with the person in a dating app, establishing trust is a much smaller barrier for the attacker,” Schless told Threatpost. “Beyond dating apps, an attacker could bring this campaign to gaming, shopping, workout or travel apps that have a social component to them. If someone is particularly keen on finding a connection on one of these apps, they will likely be more willing to do whatever the malicious actor tells them to do.”
However, scams that target the emotions of victims looking for love are another category of security challenges that dating apps need to deal with – especially during the isolating times of a pandemic. These types of romance scams have previously proved to be effective – in 2019, for instance, a fraudster managed to bilk a vulnerable Jason Statham fan out of a “significant amount” of money, after approaching her while she was perusing a fan page for the actor on Facebook. Romance scams have also been utilized for other malicious activities, including spreading malware like the Necurs botnet.
“Prying on people’s desires and fears is a tactic that fraudsters continue to use,” Setu Kulkarni, vice president of strategy at WhiteHat Security, told Threatpost. “When fraudsters are pry on an individual’s desires and fears, human logic goes out of the window. Think first, click later is quickly replaced by click first, think later.”
Interpol for its part warned dating app users to always remain vigilant when they are approached by someone they don’t know, especially if it leads to a request for money; think twice before transferring any money; and to do their research on suspicious apps, by checking app reviews, the domain name and the affiliated email address.
Threatpost has reached out to Interpol for further information about the scam, including the victimology and how much money has been successfully stolen.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m.