External Threat Management

Dating Scams: Looking for Love in All the Wrong Places

Are you a hopeless romantic looking for love in the information age? Luckily, there are plenty of legitimate apps that can match you up with someone its algorithm deems most likely to give you a lifetime of happiness.

There are also plenty of cyber threat actors pretending to be one of those apps, looking to prey upon your achy breaky heart with fraudulent content meant to convince you to give up your credit card information. With the holidays coming up and people trying to avoid spending them alone, you may see an uptick in dating scams.

Last January, dating app Zoosk expected a 20% jump in users in the first two weeks of the year and eHarmony had a 21% increase in mobile registrations. Grindr usually experiences a 30% to 50% increase in users over the holiday season, and Match.com expected a 60% surge in new members between Christmas Day and Valentine’s Day.

Here's a perfect example of a fraudlent dating page:

A typical dating scam

Secret photos? 69% women? Exclusive? To some—at least enough people for this type of fraud to be extremely lucrative—content like this is too intriguing not to click.

If you do click, you'll be redirected to a page featuring racy (an extreme understatement) pictures, along with blaring promises of easy hook-ups. All you have to do is give them your email and credit card information and start paying monthly fees. Soon, your inbox will be inundated with spam, message after message from "users" apparently so eager to meet, they don't seem to care who they're messaging. Of course, these emails are from fake accounts, as are all the lewd photos.

Cheap and Easy

What makes this dating scam so effective isn't how sophisticated it is—in fact, quite the opposite. According to Dating Busters, a blog that monitors dating scams like this, dating networks such as the company behind sites like the one above can cheaply and quickly deploy countless other dating sites from a simple template. Just like cyber threat actors behind spam gang activity, it's all a numbers game—the more fraudulent infrastructure they can stand up, the more victims they can reach.

To create another dating site, all cyber threat actors need to do is register a new domain name and create a few different graphics, and they're off to the races. That's why Research Ops at RiskIQ recently started performing a daily review of IP addresses we’ve observed hosting fraudulent or otherwise malicious content. Our goal is to increase the frequency with which we add them to the CIDR blacklist if they appear to be dedicated infrastructure.

Fake dating app 2

I found the goldmine above while checking out the IP 8.29.157.12. It’s an index page containing the page shown in Fig-1, along with several other scammy dating pages tailored to different regions, languages, life situations, and sexual orientations.

There’s France:

a typical dating scam

Japan:

A typical dating scam

Brazil:

A typical dating scam

Here's one showcasing a page for people who want to meet a swole, pug-owning soldier:

A typical dating scam

All these pages follow a similar pattern: they ask you a small set of questions before telling you you’re approved and redirecting you to another site. When we check the IP in PassiveTotal, RiskIQ's threat research tool, it shows us several other sites hosting similar fake content promising fake rewards, fake skincare advice, and yes, more fake dating:

Fig-6 A dating scam inside PassiveTotal

For RiskIQ customers, here are a couple of crawls where fraudulent content from pages hosted on 8.29.157.12 was used on other pages that were blacklisted:

https://sf.riskiq.net/crawlview/crawlState/view/9cc4bd8e-c844-49cf-bd05-0d1389fbfd44

https://sf.riskiq.net/crawlview/crawlState/view/daeb9948-2940-4118-94ed-f2f0d46271f0

Stay safe out there

It’s easy to see how groups of cyber threat actors can employ schemes similar to the fake dating ones to abuse brands to fool victims. Without knowledge of their Digital Footprint, organizations can be completely unaware of networks of fraudulent root domains and subdomains using their name and logo to redirect users to phishing pages and other web assets that can infect them with malware.

Contact RiskIQ today to learn more about your Enterprise Digital Footprint and External Threat Management. Now if you’ll excuse me, there are 2,000 lonely singles in my area I need to meet.

Questions? Feedback? Email research-feedback@riskiq.net to contact our research team.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor