 Hi, thanks for coming. My name is Zimbar. Last week was my last week at Perimeter X, so I'm giving this with permission. But as you can see, it says, former principal researcher. This is with permission. And I'm going to be telling you a long story that starts roughly almost two years ago, maybe a year and a half ago. And it actually includes new stuff as well. I'm going to be going through it really fast, because this can be told over a whole hour. And we only have half an hour. So if you have any questions, then just come and ask me later. There are some photos here that are taken from Tinder, some of them from other websites. So they include a little bit of nudity. It's all censored. It's still R rated, but it's censored. If you're offended by that, then Overt your eyes when it comes up. First thing about Tinder, it's an application that's being used by almost 50 million people, according to recent estimates, is building your profiles. And there's a lot of material on the internet on how to build a good profile that will guarantee you a better match. Is anyone here not familiar with Tinder at all? Never used it? OK, so basically, you see photos of women. Guys, someone had to say it for the benefit of those who are ashamed. So you basically see photos of the sex that you're interested in, male or female. And if you like, you swipe right. And if you don't like, you swipe left. That's it. So it's all about first impression. So there are a lot of articles that tell you how to build a perfect profile. And you can even read stuff by the Tinder CEO that tells you what the best way is. So here's me building the perfect profile. You need to have a professional profile photo. I have this one, and this was taken when I was working at Perimeter X. Perfect match. Good. You need a photo with an animal to show that you're compassionate. There you go. Anybody knows what this is? This is slow lorry. Yes, it is. This was taken in Myanmar, Burma. Check. You need something with sports or a hobby to show you have a life, right? There you go. And this one actually, this has an animal as well. So I've got them covered, right? Good. You need something official or at work, right? This is me giving a different talk at Kaspersky SASS last year. And last but not least, you need something that is silly or creative that shows it you're a fun person to be with. And this, if I don't know if Robert was there, this is last year's Kaspersky party. I don't remember this photo, but I have it, so. There you go. All right, so I got this covered. The story starts in Copenhagen. I was there for a conference, CISO Europe. It was May last year, right? And I started getting, I'm using Tinder, and I see a lot of beautiful women. You can see all these. And yes, that's my thoughts exactly, right? Now don't mind the ages, because as a researcher, I like to expose myself to a lot of data. And then I start getting matches, right? It's cool. And not just one. Like a bunch of them all at one time. So the first match is Adrienne. She's 21, an interior designer. And she sends me a message in Danish. Now I had a Danish girlfriend, so I know a little bit of Danish. But I'm also a security researcher, and there's a link here. So that's no way. It's not happening. Let me show you. Anybody speaks Danish here, or any other of the Scandinavian languages? You see, I knew that, so I translated this for you. I just got out of a bad breakup with my boyfriend, and I want to forget it. I'm totally a sex addict, blah, blah, blah. Click the link. Not going to happen, all right? It turns out that I'm very popular, right? So I thought maybe because this is Europe, and I'm Middle Eastern, all sexy stranger stuff, and I'm getting many, many, many matches, right? And as you can see, they're all sending me the same message. And this is where I got suspicious. So the Israelis know this. This is a, all right? But for other people, here's the coincidence. I don't think so, all right? Turns out that I matched with 57 different profiles, right? That at this time, my research or instincts kicked in. I recognized the patterns, and I started, you know, taking screenshots. It's pretty easy. On your iPhone, you just take a screenshot, and then you can do the research later. I matched 57 bots. They had 29 places of education, 26 places of work. Okay, fair enough. That's almost a one to two ratio, but only 11 professions. 57 different people, allegedly, and they share 11 different professions. That is statistically improbable. These are the professions, right? PR and communications, flight attendants. That actually makes sense. You think to yourself, okay, she's traveling a lot. Maybe she doesn't have a boyfriend. She likes to fool around, the boyfriend at every port, as they say. But, you know, and I started mapping them. These are the places of education. Let's look at the map. If you look at places of education, with one exception that was in France, they are all actually in Denmark, right? So this kind of matches the cover story. However, if you look at the place of work, with the exception of one that is in the US, they're actually all in Britain. And with the exception of one, they're all in London. So that doesn't make sense. Like this whole group of 57 people, women, they all got certified in England. What happens there, right? So obviously these are stolen identities and you start noticing that very quickly. Let's look at those, right? Since at least one of you is seeing Tinder for the first time, this is a photo. This is her name. Basically, logging on to Tinder is done with your Facebook profile, right? It's a Facebook log on. So you have a name, an age that comes from your Facebook profile, profession and education. If you choose to share it, you don't have to. And then free text, okay? Everything below the line is a free text. Now, mind you, as you can see the distance here, this one was 349 kilometers away. Tinder offers you, when you pay for the service, otherwise it's free. When you pay for it, you can check into a location before you get there, which is kind of good, because if I go to Copenhagen and I'm only there for three days, I want to get a match and set a date before I get there, right? So basically I'm getting paid to use Tinder. That's kind of nice. But all of a sudden you start seeing that while the profiles bear a name and an age, it does not match the free text, right? She calls herself Ariel, but this is actually Cecil. She says she's Lily, but here it says Camilla 24, right? This one is called Delfina, but the Instagram is Emily, right? It doesn't match. This is stolen information. So let's track a couple of those. Kylie, no, Helethingod, okay? This is the free text that is being copied from a different profile, right? So if you look at the Instagram profile, you will see it's not the same woman, right? Also on Facebook, same woman here, not the same one here. Another example, Latrice. I'm not an expert on names, but I think, isn't Latrice like African American commonly? Something like that? I'm not an expert, but in any case, neither one of them looks like a Latrice, and the Instagram says Olivia Meyer. So if you go on Instagram and on Facebook, there isn't Olivia Meyer. It's just neither one of these two, right? So we now know that they take photos, they match it up with fake identification, and they use real text written by real women, because apparently they figured out it was harder to fake that. Better take someone a real person wrote, because it's more compelling, right? So next conference, this is all me traveling to security conference, just like this one. So I went to Denver, there was another conference in Denver, virus bulletin, if anyone knows it, probably Robert does. I get it, Denver, and this is already the next evolution. This was a few months later, and now they don't just match you and send you a link, they actually try to get you to do stuff. So she sends me a message right away, and it's very blunt, right? You wanna, nah, let's make plan, beat L.Y. Once again, I'm a security researcher, I don't click links, certainly not those that are beat L.Y. Although beat L.Y. is kinda cool, because you can figure out where it goes to. This is a redirection service, and you end up going to dailysex.com, and this is not a dating site, just in case any had a doubt, right? And warning, you will see nude photos. Please be discreet. And then I get to chatty bots. They actually run a scripted chat, right? You say something, they answer back, but if you're careful enough, you will notice that it doesn't match. Hey baby, quite the nocturnal type, are you? And I was sure she didn't know what nocturnal was, right? Because I had that feeling, she was 21 or something. And she says, I wanna go get beers tomorrow. This is a Sunday. And I said, how about Tuesday? And she said, do you wanna go out with me? Now notice how pretty much whatever I say makes her next line plausible, okay? That's how it's scripted. And I said, so what if I do? And she says, request me on Skype, let's make plans, my name there is. And there's a Skype ID. Now I already figured that I was gonna get spanned there, so I didn't go there. But remember this, this is gonna come back later. Then there's another one, Katie. And she's more sophisticated. Katie is allegedly 23. Hi, Inberg just found your match from Tinder, somewhat bored at home. Where part of town yeah at? So I don't know, if you guys are old enough, there really used to be a, maybe there still is, I'm not American, jive. That sounds a little bit like jive, right? So by this time, I'm pretty certain I'm speaking to a bot. Nonetheless, I say I'm in the CBD, Central Business District, nice. Of course she's there, right? Doesn't matter what you say, excuse me, she's gonna be there. What's your favorite color? The color of a boarding pass. You would expect her to say, huh? What? No, she says, mine red suits me. Right, wanna make plans. And this goes on and then there's a big explanation on how, I don't care where we meet but I was, I met some weirdest people and then they started stalking me. So please go to tinderageverify.com just so I know that you're a real person. And of course if you go there, which I did in a VM, you are asked to put in your credit card information for verification and of course, you know the rest, right? Hamburg, CCC, the Chaos Communication Congress. Once again I was traveling for work and at this time they were starting to get cocky, no pun intended, they don't even bother matching you. Sorry, there's already a link at the description hoping that people who are, let's say, appealed enough, go there, right? This goes to YeahRealSex.com. Where does that lead you? It's better than Tinder, okay? And why am I saying that they're getting cocky? They take themselves so seriously that they offer you to unsubscribe and there is a capture to make sure that you don't unsubscribe on somebody else's behalf, right? Austin, yet another conference and it's getting interesting. Shane, oh my God, I'm so bored. I already know I'm speaking to a bot here. Me too. Do you want a Skype? And why is that? Do you think, this is by the way a quote from the Princess Bride. I like the Princess Bride so I just put in a quote and she says, you should message me there. I can send better pictures. And then I'm like, ABCDEFGH, whatever. And of course, the script ignores that and that's the Skype ID. Now does that look familiar? Yes, because remember the one from before? Same thing, go to Skype. My ID there is live colon and then a name with the last letter three times and three digits. So this time I created a fake Skype profile and I engaged in the chat because by then it was obvious that I could put this in my presentation, right? So, yeah, I'm a researcher, come on. I live for this. Hi, cutie, happy you Skyped me, blah, blah, blah. Doesn't matter what I say. And my boyfriend and I broke up recently, blah, blah. I like spanking and choking. Are you into that? Not particularly. And then I say, I'm taking screenshots of this conversation. It's going to look great on the Kaspersky-Sass event because I was just going there and it was clear. And then I could not direct this conversation better. As I'm saying to her or to it, this is going to look good on the Kaspersky-Sass event. It says, hmm, I'm getting wet. Great success. Okay, Vegas. So I got accepted. Thank you guys for accepting me to speak here. I got accepted to Vegas. So obviously I checked in here a couple of weeks ago, started looking for stuff. And boy, the Tinder scene here, fascinating. So many fake profiles, you wouldn't believe it. So the most obvious ones are the service announcements, all the profiles that actually ask you to go to lookholes.com. They all have it in the description. By the way, if you're seeing these three buttons, it means we haven't matched. In Copenhagen, the photos didn't have those because those were all matches. And here, look at the text. It's identical. These two, they both say, hey, babe, hope you're catching you. Yeah, the same text here and here. Thanks for viewing my profile. So this is obviously, it's a fake profile. They're using the same text. And their intention, as you probably understood from the other examples, is to get the traffic flowing into their website. We have some more, all those. We're already counting eight. Once again, they all send you to lookholes. And here, it's a little bit more interesting. These two are the same. Do you like chat with me? So these guys, they don't speak English as their first language. This one says, are you bored? And it spells bored like as a surfing board. And that's one thing, do you want to sex with me? OK, let me consider that. But this one is more interesting. She says, I am boring. And I wasn't sure whether she meant that she was bored or that she's working for Elon Musk in the boring company. That's also a possibility. So yes. And then we have the usual inconsistencies. These guys or girls, you can see that the names don't match. She says, hi, I'm Renita, Sarah. Hi, I'm Kate, Esther. Becca, 20, New Jersey, Zoe, 28. So that's very easy to see. And then we have those that actually have handles to other services. That makes it easier to check. So this girl gives us her Twitter account, emmyyy. But if you go there, that's a different woman. Emily McDonald, and this is Jesse, not the same person. This is even funnier. This is Evelyn 27. Her Instagram is chrissa, something, whatever. But when you go there, it says, no, I am not Julie from Tinder. And just so you know, she says she's not Julie. This is not Julie. This is Evelyn. So these guys are using the same stolen text over multiple fake profile. This is getting cool. So tracking the infrastructure. Up until now, this was just information gathering, a lot of screenshots. But let's see who's behind this. This is the original message from Copenhagen. And we have this little link here. Very simple research tools. Most of the AV guys know those. You go to VirusTotal. Let's see what other domains are in this IP address or where it belongs. Who it belongs to, where it is hosted. And it turns out that many different domains are hosted in the same IP as that MeetDutch. And they're all registered to the same person. MeetDutch is somewhere in here. Altogether, there were about 60 something. Now MeetDutch is protected with WhoIsGuard. We don't know who it belongs to. But seven out of 61 domains that were registered to the same IP were not being protected by WhoIsGuard. Probably because they were registered in certain countries that didn't offer that options or certain registration services. I don't know for sure. Let's look at those. The first one is by a WhoIsGuard but a different one, so no help here. This one in Sweden doesn't give enough information. And then, danishgirl.dk, all of a sudden we have a name and address and a phone number. Now a quick look will show you that these are fake as well. The number, two, three, four, five, seven, eight. Marseille actually, the zip code of Marseille starts with one, three. So this is not Marseille, it's a fake address as well. But the next one actually has an email. And that is something that we can work with. Once again, Edward Serkov, Greg752, a Gmail, a bunch of those, they're all registered under the same email. Now how do we connect the dots? Cause I've shown you examples from a number of cities, right? If you look at ScamAdvisor and you look at meetgirls.at and MeetTouch, you see these two are from the first bunch, right? From Copenhagen. But they are both redirecting to daily sex, which came later, I think it was Austin, right? They both redirected to the same place. So you know they're connected. Now what was daily sex? This guy, right? So they're connected. So we know they're all connected. All the sites from Copenhagen are connected to the site that I met later in a different city across the Atlantic, right? And of course it's also protected so we don't know who controls it. And I was trying to track this guy, but he did his best not to be detected. There's another website owned by the same email, but this time the name is different, right? It's still fake information, same phone number there, but different address, still fake. So I don't really know who this guy is. If you know how to do it, if you can help me track him down, that would be nice. Feel free to contact me after the talk. So I figured if this happens on Tinder, that also happens on other platforms. So I registered to a bunch of platforms, not to say that I was already registered to some of them before, but all in the name of research. And then I got this message on OKCupid. It's an unsolicited message from a profile that I did not look at, didn't have any match with, 0% match ratio. And it just says, hi, I found a free dating site, way better than OKCupid with more members and I just wanted to share it with you. Wow, I feel so lucky, thank you. So that's the profile. Within a couple of hours, it's gone, right? But I have a lead there. It's called whereifindloveluv.com, okay? Let's go there and it really looks bad. It's so unprofessional. The name and the description and the name on the website, they're not identical. One says love, L-U-V, one says love, L-O-V-E. And the English is really bad. You can't see it here because of the projection, but this is bad English. So either way, this is not a real website. And once again, I start tracking that. If you look at this domain, it leads to this IP address. And if you do a reverse lookup on the IP address, there are a bunch more domain names that they all pretty much sound the same, like some lame-ass dating site. So I picked one of those, passionfoundhere.com, right? They're more or less all registered within about eight weeks of each other. So they're all connected. So let's go to passionfoundhere.com. Passionfoundhere.com is registered to this guy, Montrell Neubull from Silver Spring, Maryland. Okay, this is nice. And once again, we have an email address, computertechniclesetyao.com. Now that sounds like something you would actually use. So we were starting to shift over into the bad Opsic world. Let's look up this email address on Facebook, guess what? There's a profile registered by that email address. Devon Green. Okay, so now we have a problem because here it says Montrell Neubull and this says Devon Green. How do we match them? How do you know it's the same person? Well, thank the American judicial system, free public court records. It's the same guy, Montrell Devon Neubull, same person, right? From Silver Spring, Maryland. How nice. Now, what do you never ever do on Facebook when you're a criminal? Take a photo with a lot of money. You never do that. All the people that do that end up getting caught. Now the question is, how hard is it to operate such a scam? Well, it's not. We were talking at perimeter X, we were talking about four generations of bots, right? A bot is anything that is not human, anything that is automatic. Generation one is just a script, right? Or a command line tool. You can run CURL or WGIT. There's a simple interaction, HTTP GET, you get whatever you want, that's it. Generation two can store a cookie, right? So you can maintain a session. Maybe you logged on or maybe you need some authentication, but that's it, there's no JavaScript. Generation three already adds JavaScript and you can do engine automation like Selenium. You can run that or Phantom.js. And the generation four, these are actually malware running on top of real browsers. So some of the time it'll be the original user creating traffic, but some of the time it'll be, we were mostly seeing malicious extensions doing that. You know what it takes to do this? Gen two, all you need is the ability to authenticate against the Tinder UI or API, sorry, and that's it. So this can all be done in a Python script for all you care. Now, what is the result of this being so easy? Not just the scams that we're seeing, but you also have dating site automation. But it can be good and it can be bad. You can find the good side of a guy writing an article about how he created a bot to find love. And I have a friend who did the same. He wrote a bot that created many fake profiles and then measured the matches that he got from women and then figured out what he needed to become in order, you see where I'm going? But at the same time, there is a service that you can do that does that for you, right? Like dating is a service or matchmaking is a service. And of course, that is against the interest of the dating site services. So why do we care? Because theoretically you can say, okay, big deal. So you got con on Tinder. Well, first of all, it hurts people's reputation. The website reputation. Now you know, when you go on Tinder, if you go on Tinder, you're gonna be a lot more suspicious. You're gonna know that there's a good chance of what you're seeing is not real. Some of the services, they attract traffic out of the other ones, right? And actually the worst thing is that people actually click the links. So at Perimeter X, we did a simple test. We created a fake profile on one of the dating sites and added just two photos of a gorgeous woman and then we waited, right? We didn't even message anyone. We waited for people to message us. Those who messaged us got back a message containing nothing but a link. Who would like to guess the click rate, the conversion rate on the link we sent? 70% of the people that sent us a message got the link. Now I will concede to the option that some of them are other security researchers. That is a possibility, I don't know. But this is the best conversion rate I have ever heard of, right? Add agency, add agencies, well, would pay good money to get this conversion rate no one else has. But that's only part of the problem. This is a security breach. If you'll notice, most of the discussion, let's put hardware aside, most of the discussion in the security community revolves around the breach. What happens when you get breached? How you got breached? What happens when you are breached? Lateral movement, data exfiltration, the whole shebang, forensics and everything. But there is so much that can be done by malicious web activity that doesn't even involve breach and doesn't even involve exploiting vulnerabilities. Just web automation can cause so much damage. This entire Tinder operation is caused or is operated by web automation. Someone is using a script or maybe a script over a mobile phone emulator, probably an Android, to do all this, to create fake profiles, to feed them with information. This is all done automatically and the damage can be extensive. So it's not all about the breach and we need to remember that. And what we're trying to do or what I was trying to do at perimeter X is to shift the discussion a little bit back to, okay, breach is nice, but there's also a lot of damage that can happen that does not involve breach. And with this, I finish, if you have any questions, we have three minutes, go ahead. How much automation? None, I enjoy it, I do it myself. Yeah, I can show you the screenshots on my laptop. Getting a match on Tinder, it's like winning the lottery. And you know it's fake, right? I'm looking for the fake, you're like, ding, yeah, I got it. So yeah, I do it myself. Yes, it's not a lot, let's say Copenhagen, I found 57 fake profiles out of, I don't know. Let's say there are a few thousand profiles there. So by numbers, it's not a lot, but look at the worst case scenario. You get sent a link and that link doesn't lead you to a competing website, it leads you to a malicious website running an exploit kit. If I can later prove that I was infected by a link sent over the Tinder profile, that could put Tinder in a liability spot, they don't wanna be. So even if the numbers are small and the more I travel and I see more, the numbers are not so small, especially not in Vegas, by the way, the percentage here is amazing, this could have ramifications for all parties involved. Yeah, one more, yes. Did you catch that guy or did that guy get caught? Not yet, not Greg752, so if any one of you can help me figure out who that guy is, I would be thankful and put your name and credit on the next time that I run this presentation. Our time is up. If you have any other questions, feel free to catch me outside. Thank you so much.