Cybercrime Researcher Cautions Dating Sites
Posted: January 15, 2014 at 5:01 am, Last Updated: January 21, 2014 at 7:01 am
By Preston Williams
When George Mason University computer science assistant professor Damon McCoy conducted research on Twitter spam last year, he figured the results would be useful to a number of web-based businesses.
One enterprise that the cybercrime expert did not necessarily have in mind while doing his study was the online dating industry. So McCoy is amused, but pleased, that he has been invited to speak on Jan. 16 at the iDate Internet Dating Super Conference in Las Vegas.
This unlikely engagement has prompted good-natured ribbing from colleagues and friends, who now ask McCoy to send them his picture, just as a potential partner from a dating site might request.
Kidding aside, online dating is serious business, and dating sites are just as vulnerable to spammers as other “walled garden” online services that require membership, such as Twitter and Facebook, McCoy says.
Cybercriminals have found that they achieve a higher click-through rate on such closed platform sites because those users feel like they are in a more familiar and secure place and they take more notice of messages on those services.
Spamming via e-mail requires hundreds of thousands of sent messages to achieve one click, says McCoy, who is based out of the Volgenau School of Engineering and who is an investigator with the Center for Evidence-based Security Research. With Twitter, the odds improve to one click in about 1,000 solicitations. Dating sites likely would result in an even higher click-through rate.
“You could see the same kind of problem hitting the dating industry,” says McCoy, who has dabbled on the dating sites himself. “They want to beef up their defenses before they get into the same kinds of problems as these other services.”
McCoy, in collaboration with Twitter and researchers from the University of California-Berkeley and UC-San Diego, bought in bulk 121,027 false Twitter accounts — they are openly advertised online — from 27 sellers during a 10-month period for their study called “Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse.”
Registering millions of fake accounts requires automation, so the researchers were able to detect registration signals and patterns that would indicate false accounts opened en masse. They also determined other ways cybercriminals skirt security methods. Some use software that bypasses “CAPTCHAs,” the scrambled numbers or letters sites use to keep out unscrupulous users. There are even sweatshop workers overseas whose job is to type in CAPTCHAs to assist with opening fraudulent accounts.
With the help of McCoy and the California researchers, Twitter was able to suspend several million bogus accounts. Niche sites such as iDate, though not as widely used as Twitter and Facebook, are equally susceptible to spam attacks and want to be proactive in thwarting them.
And, with Valentine’s Day approaching, dating site users might encounter solicitations from fraudulent visitors with dollar signs instead of hearts in their eyes.
“We’ve not found anyone selling bulk accounts for dating sites,” McCoy says. “But all it takes as with most industries is one clever entrepreneur to become successful, and the rest of the cybercriminals will join the bandwagon.”
Write to Preston Williams at email@example.com