With Valentine's Day around the corner, love in the air and OSINT in the ether all the time, we have a volatile mix of combustible materials. These materials could enable high powered OSINT collection and use for nefarious purposes. Unlike Facebook, LinkedIn, Twitter, Pinterest or realty sites, content on dating sites are not intended for consumption by the general public. They are intended for a small group of similarly minded people.
For the purpose of this article, I am lumping in dating, hook-up and fetish sites as "dating sites." While I recognize that all platforms have different models, intended audiences, and intended outcomes, I am consolidating them for the purpose of this article. I mean no insult or harm in this generalization, I am illustrating the potential of open source intelligence collection, not the merits or demerits of using dating sites.
Dating sites. Many people use dating sites to find love or to find lust. As Kevin Murnane illustrated in 2016, more people continue to use dating sites like eHarmony, OkCupid, Tinder, Grindr, Plenty of Fish, Farmers Only, Ashley Madison and OurTime. With websites like this, a person can pay a fee and cut to the chase. What are the intentions of the person signing up? Casual dating, hooking up or serious relationship/marriage?
Dating sites lend themselves to OSINT collection. Users are not verified to be using valid pictures or data. While there are undoubted fake accounts as we learned with the Ashley Madison data breach, users of these sites would probably rather give a benefit of the doubt. The other side of the same coin points out that many users pour their hearts out and share many intimate details that could be used against them. Starting with the obvious, users typically put their zip code or other references to their physical location.
This is not the fault of the sites, for the most part. The sites may ask questions that are too invasive or possibly enabling that level of oversharing. Going back a little bit more, the users may use a username on that platform that they also use on a different website, whether it be a different dating site or a regular social media website. This is a potential vector for a stalker or an aggressor to move from the internet to real life. Even if the user uses a fake first name or does not reveal their last name, reusing the username negates any security protocol with this account if their real name is used on an account with the same username. The profiler module of Recon-ng or Micah Hoffman's What's My Name (the source of the Recon-ng plugin), can take a username and enumerate where else that username is used.
Now to the more sinister applications of OSINT for targeting people on dating sites. As I am not on any dating sites, I polled acquaintances and friends who do use them for specific data points. I asked them about the information required to create the account, whether the email was accessible to other users, the types of information that was requested of them by other users and the types of information that they asked other users for. I also asked if those using data sites if they used the same username or profile picture elsewhere.
As a result of this informal qualitative study, I was able to find a few vectors that could lead to a stalker or other malicious actor using OSINT to perpetrate unethical or illegal behavior. In this instance, an actor (ex-lover, attacker targeting the victim's employer, extortionist) could create an account on the desired platform. It could vary in accuracy from completely false to completely true (less their intentions). They could read their target's profile and adjust their own profile to be appealing to the target. Once connected, they could utilize social engineering techniques to build rapport and carry on the objective.
Going to a more extreme option, a user that has been rejected may have problems taking no for an answer. The person rejecting them uses their username on other social media platforms like Facebook, Instagram, and Twitter. The rejected party notes the person's username and downloads or takes screenshots of their pictures. From this point, the rejected party searches for other uses of the username and finds the victim's Facebook account and their real name. They also see where they are located and pictures of the outside of their house. To confirm their location, they correlate the images with reverse image searches and compare to previous real estate listings.
Based on the information uncovered, the rejected party can stalk and harass the victim or worse. Since this is outside of the terms of service of the dating site, they are not legally responsible for the aggressor doing the correlation and anything they do to the victim or their loved ones digitally or in real life. The only thing short of censorship the site could have done is require users to use anonymous usernames.
Also, through conversations, would-be attackers can make small talk with victims or just read the captions or text in some cases. They could frame password reset questions in clever ways to get things like elementary school name, pet's name, street that the victim grew up on or the victim's mother's maiden name. This could spell disaster for the victim on many online platforms. Imagine if the endgame was for the attacker to target the victim's employer or to destroy the victim professionally. The scenarios above could certainly accomplish various types of reputational, emotional and physical harm.
How can one maintain a level of safety and security on these sites and still use them? Use a dedicated username on each dating site. Do not reuse it on any social media platform or email account associated with anything beyond the dating site. Be cognizant of lines of questioning that could lead to an adversary learning or initiating a reset of your password. Be cautious what other information you provide and when meeting people in person. Practice caution when posting pictures. The background of the image could be used in reverse image searching and give away your location. Unless required to provide an ID, consider using a fake or partially fake name. Finally, exercise caution when tying your social media accounts to dating sites.
In conclusion, dating sites are not bad. They are a means for people to connect, meet and find love. In using them, it is vital to incorporate them into your threat model and adjust your behaviors accordingly. Also, consider the issues that various sites have had with data breaches including Adult Friend Finder, Ashley Madison, OkCupid and Zoosk to name a few. This should also be factored into your threat model.
