Social Engineering Scams Lurking in Public Places
Noah was excited to hear from a seemingly compatible potential date he met using the Tinder application. They both swiped right on each other’s notification, indicating initial interest in each other. She was naturally pretty, Noah thought. Noah’s additional messaging revealed they were located near each other. She was just the next city over, less than 25 miles away. Then things began to get suspicious.
Noah is used to being suspicious on Tinder. He says on the average day, he has to fend off at least five fake profiles or bots waiting to scam him in some way to push him toward a pay site of some sort, and for some victims, install malware or ask for money. Bots are automated scripts which are created by their purveyors to trick people into visiting fake sites or running malware by responding in chats like a real person might.
Noah says that usually the bot scripts are pretty easy to spot. Almost always, they reach out to the guys first. (He said in legit dating situations most of the time the guy is the one reaching out to the girl first). He said bot profiles are usually very skimpy, containing only one picture (versus multiple pictures he sees on a real account). Fake profiles usually contain a link to a paid site or Snapchat. He said the bots are very quick to try and move potential victims off Tinder and into revealing their real cell phone number, where the potential victims can be more directly targeted and their malicious actions not potentially blocked by Tinder’s built-in user protections. That’s a good lesson: Always be aware of anyone who attempts to move you off the current platform quickly to something less secure. Scammers have a million reasons why they just need to move you to another communication’s platform very quickly.
But Noah said this bot’s script was more intelligent than most. The profile was better. It included a pretty, but not overly attractive photo that most likely points to a photo stolen from a model’s profile. The bot’s early conversations and reactions to his questions were above average. They seemed human.
But then when he asked a very simple question, “What city are you from?”, she refused to name a city. She even said that she wanted to keep the city private, but that she was “25 minutes away”. This made Noah suspicious; suspicious enough that he began asking questions that would be harder and harder for an automated bot to answer.
And like Noah expected, the “female” connection began ignoring all his specific questions, not giving coherent answers, and simply asking generalized questions that could apply to anyone. Within a few minutes, his potential “date” disappeared. And like clockwork, as he expected, his connection came back the next night, exactly 24 hours later, and started asking the same inconsequential, bogus questions, ignoring the ones Noah had asked from the night before like they never happened. Noah had to respect that the Tinder bots are getting better and they get farther along in their conversations before he can determine if an interest is from a real person or not.
(10/29/20 Update: Noah corrected me on one thing and added a few more facts. He said, "The Tinder bot profiles don’t have the external links in their bios. That’s only texted to you after they get your number. The Snapchat usernames are what they put in the bios, usually formatted with weird fonts/emojis. I assume to evade Tinder’s bot detection. Also, I forgot one more thing of note: As soon as the bot got my number, the matched tinder profile was nowhere to be found within the app." )
Boy, dating is alot harder today.
Noah got away lucky.
Another person contacted me regarding a Tinder scam that didn’t get so lucky. The scam started out in what seemed like a normal bot scam, but then he said it seemed clear, upon later reflection, that the attacker switched over to a human persona, and this victim then pushed away his initial skepticism. He thought at the time that he was being too paranoid.
In this instance, his Tinder “date” responded correctly to his specific questions, but while later reviewing the messages, he realizes that really the connection didn’t reveal anything besides relatively generic responses. The “date” pushed him to get off Tinder and into using another chat app, where they said they could send him more pictures without worrying about what data Tinder captured. This person had similar personal privacy concerns and agreed.
Over the next few hours, he felt he established a real connection. Eventually, his “date” suggested that they meet in person, and he agreed. But, suspiciously, this date sent him an encrypted document that supposedly contained a link to the eventual destination. He thought this was weird, but she said it contained driving instructions which she learned was easier to share in a Microsoft Word document than just a GPS driving address. She told him that he would probably get a warning message when opening the document, but to just click on OK or else the full instructions wouldn’t display.
He was suspicious, but ignoring his instincts, he opened the document and read the instructions. The directions were not to anywhere near him or near where the connection said they would be. He questioned if she had sent the right directions, but she said she had to get off her phone suddenly, but that she would be back in contact. But she never did. She ghosted him.
A few days later my friend’s bank account was wiped cleaned. His cell phone had been invaded by a bank account stealing trojan. He immediately realized how the banking trojan probably got on his phone. He was able to get his stolen money back after a few days, but he still questions why he ignored his best instincts and let an unknown stranger run an executable document on his phone.
It used to be that Facebook and dating sites were the most likely places you could be scammed, but these days, any social media site or app is fair game for social engineering scammers.
LinkedIn Example
I’ve got a pretty decent LinkedIn (https://www.dhirubhai.net/in/rogeragrimes/) audience with just under 23,000 connections. Every now and then, I get a connection request from some unbelievably attractive, young woman, usually foreign. Now, I would love to think my charm and handsome good looks are enough to attract strangers, but I’m closer to the Hunchback of Notre Dame than Brad Pitt or George Clooney. Any time an attractive young woman wants to connect with me, I’m suspicious; especially if she doesn’t appear, by her profile, to have any interest in computer security. And when that same person starts asking if I’m lonely, too, well…let’s just say I’m not falling for the romance scam. It happens so much that my wife is convinced that LinkedIn is really just a big dating app disguised as a business connection site. The only difference is that all the “dates” are romance scam trolls. At least with a real dating app you have a chance to meet a real human being.
But occasionally I play along to see what social engineering tricks the scammer deploys to try and undermine a potential victim’s skepticism. Without a doubt, they portray themselves as very lonely people who have gone through a recent break-up of a long-term relationship or had the death of a spouse or boyfriend. It’s all so very sad. When I play along, it isn’t long before they are telling me that I’m the man of their dreams and that they think any woman who gets me is the luckiest person in the world. My wife might disagree and share that I’m not quite the buttercup all the time. I often get talks of marriage proposals within a day.
I’ve noticed that the biggest turning point in the fake conversations is when I say I love them. The scammers are trained to wait until their victim expresses feelings of love. Once the victim does that, it’s time for the money requests to start. Usually, it is started by the scammer claiming they want to visit me, but they don’t have the money. If you’re unlucky enough to send them money, some interruption in their travel plans always happens on the day of their supposed flight while they headed over on their visit. Often the story is that some group that is threatening the person, delaying their travel plans, and the only solution is to send more money, a lot more money.
I would ask who this stuff works on, but I’ve been contacted by hundreds of victims over the last few years who have fallen in love with the scammer and lost a ton of money. “The heart has a mind which the mind knows nothing of.”
Twitter Example
Another notable example came to me by the daughter of a Twitter scam victim. The victim was an ex-vet who belonged to a Twitter group made up of his former squadron team members. One of the most popular members reached out to him one day, out of the blue, and asked how the victim was doing. He was surprised, because this person didn’t seem to be active on Twitter and never interacted with the others. But finally, he was. The victim was delighted. When the victim replied, “I’m doing great. How about you?”, the scammer replied that they were doing fantastic, because they recently came into a ton of money, which could be claimed by anyone in the squadron, including the victim, supposedly due to some new government program that targeted veterans. All the victim had to do to claim his share was forward his contact information, including a picture of his driver’s license and bank account information. The victim did.
The victim’s bank actually proactively blocked the resulting wire transfer that was trying to steal the victim’s money. The scammer complained to the victim about the bank blocking the money, and the victim complained to the bank. The bank warned him that his money was likely being stolen by a scammer, but the victim didn’t agree. The money was being taken in “escrow” by his long-time “friend” before a bunch of free money would be transferred back into his account. The bank refused to budge (kudos to the bank…this is not as common as I wish it was).
The victim contacted his daughter so she could call the bank and get his money moved. His daughter quickly got involved and figured out what was going on, but no matter what the daughter told the victim, he refused to budge from the “fact” that he was going to get a bunch of money from his friend if only he could send a much smaller escrow fee. Not until the victim’s daughter got the real phone number to the Twitter friend and confirmed that the friend’s Twitter account had been compromised and that the friend had no idea about the money request, did the victim start to somewhat believe what the bank and daughter were saying. The daughter lamented that she can tell her father still believes there is a chance that the government deal is real. Friendships can create powerful, lasting, emotional bonds, which is exactly why scammers use them to lure victims.
But the overall lesson for everyone is that social engineering scams are coming from everywhere.
Education is the Key
The best solution is education. You can’t help people avoid being scammed if they aren’t aware of the types of potential scams and what to look for. You need to use security awareness training to create a sustained high level and culture of healthy skepticism. You need to be skeptical. Your friends and co-workers need to be skeptical. Your organization needs to be skeptical.
Any time a request comes from any type of online service that could possibly be a scam, the potential victim needs to start with skepticism and look out for additional signs of maliciousness. You can’t even trust (unusual) requests from people you know. Their account might be compromised. People need to hover over URL links before clicking. Never open unexpected documents sent by near strangers, and be very aware of deals and unusual situations that are too good to be true. And when in doubt, people need to chicken out. Opening a single document can result in your bank account being emptied, clicking on a single rogue link can result in your computer being compromised, and responding to a long-time friend’s request for you to send them your banking information to make you rich could lead to catastrophe. And those social media sites that used to be seen as safe, all eventually get taken over by creeps and malware purveyors. Be suspicious of the message or request no matter where it appears.