Make a Date With Fraud

Rambo Tribble (1273454) writes "Netcraft is reporting that criminals are mounting massive phishing attacks through online dating sites. The scams are numerous and target multiple sites. Actual methods range from blackmail to 419-style scams. Characteristically, fraudsters hijack an existing account on one of the services, then use that as a portal to deliver a PHP script to compromise the site. 'The latest attacks make use of a phishing kit which contains hundreds of PHP scripts, configured to send stolen credentials to more than 300 distinct email addresses.' The BBC offers additional insights ."

Online dating losing market share

[xenoc_1]

Netcraft confirms it.

Re:

[Anonymous Coward]

You can catch a virus from on-line dating.

That explains it

[Nidi62]

I wondered why my date had me show up with a $50,000 money order......

Re:

[TapeCutter]

The money didn't upset me, it was the fraudulent photos they use as bait.

Re:

[Anonymous Coward]

Sure, please show us where to go to start finding dates. You go to a bar, you get barflies (pick your STD.)

Re:

[nukenerd]

Dating sites, where you go when you want to be judged by your selfies. Looking to meet someone with similar interests? Look elsewhere, loser.

Here we go : cue posts saying "My mother told me never to trust anyone I meet on a dating website".

Here's some more helpful advice :-

Never trust anyone you meet in a bar
Never trust anyone you meet in a theatre
Never trust anyone you meet at a party
Never trust anyone you meet in the street
Never trust anyone you meet on holiday
Never trust anyone you meet if arraged by a friend
Never trust anyone unless you already knew them before you were born

Perhaps you would like to advise us wh

Re:

[Average]

"Never trust" is an exaggeration. It's not a binary.

"Never trust anyone you meet at a party" is a very weak, nearly joking, version of 'never trust' Date them, but don't immediately trust them.

"Never trust some klatch of Ghanaian scammers who you've never actually met in person so much that you send them your entire life's savings and in fact go wildly into debt sending them more money" (as is the advice my uncle got repeatedly and ignored repeatedly) is a much stronger version of 'never trust'.

- can't fi

Re: selfies or it didn't happen

[Optali]

Another useful tip: Never get high on your own supply

In other words: Date-site security sucks...

[gweihir]

Nothing surprising here, the date sites are just attacked because the operators are to dumb do make their site secure and there are a lot of people there. Any other type of site with the same characteristics is equally a target, the connection to "dating" is pure coincidence.

Re:

[Anonymous Coward]

This comes as no surprise as most 'legitimate' dating sites are scams anyway.

Re:

[Anonymous Coward]

Operators are not dumb, management is cheap and they want everything done 5 hours ago. I know.

Re:

[gweihir]

From my experience, it is a combination of dumb operators and dumb management in most places. Finding either competent operators or competent management but not the other is exceedingly rare.

Re:

[rHBa]

If you read the Netcraft article you'll see that the summary is wrong. All it is is a phishing kit that's hosted on some other compromised server.

It's nothing to do with the dating site's security, more to do with the tech savy of their users.

Re:

[ortiooo]

These sites get attacked partly because users of dating sites usually have dumb passwords... And I always say to this: passwords should make way for 2FA! It seems difficult for a common user, but in fact 2FA world’s most convenient authentication method

Target audience.

[xxxJonBoyxxx]

Hmmm...posted to SlashDot...on a Friday night.

Re:

[TapeCutter]

Hmmm....it was posted Saturday morning in Oz.

Re:

[The New Guy 2.0]

Right night to post a dating alert... if you don't have a steady girlfriend, how are you going to meet her? The best way is to find the people you deal with too much... you know, like somebody who helps you too much at your favorite store or restaurant.

Parasite Entry?

[LifesABeach]

Looking at the code provided by NetCraft, and RTFA, it looks like a bogus php $_post transaction is sent to a php web service? So if the web service doesn't verify the inputs, then that would be an entry point where a script vectors in? I guess the real question is, "How to prevent a PHP script being executed when it is being read in as an $_post element? Another question is, "What command sequence causes this?"

Re:

[rHBa]

How to prevent a PHP script being executed when it is being read in as an $_post element?

Simple, don't:

<?php
eval($_POST['unvalidated_user_data']);
?>

(in fact don't eval at all, if you need eval you're usually doing something wrong)

Having RTFA, I interpreted it slightly differently. I think the supplied PHP code is uploaded to another, previously compromised server and it is used to send out phishing emails.

The unwary user then enters their login details on the compromised server (or if they are using an email client that displays HTML forms(!), within the email) the data is then

Re:

[Antique Geekmeister]

And of course, XKCD has an excellent cartoon about just this sort of problem:

              http://xkcd.com/327/ [xkcd.com]

It looks like little Bobby "Tables" has grown up, discovered herself, and changed her name and gender to Roberta "PHP".:

         

So it's....

[Hsien-Ko]

catphishing?

Misleading title

[charlesbakerharris]

At first blush, I figured "Make a Date With Fraud" meant someone had set up an entire dating service designed to introduce people to, well, me. A bit sad to see it wasn't that, honestly.

Re:

[MightyMartian]

That would have been a much better article.

Re:

[charlesbakerharris]

Great comeback, kid. Good try. Good effort.

Is It Just Me?

[Anonymous Coward]

Anyone else misread the headline as "Make a Date With Freud"?
What does this say about the relationship with my mother?

Re:

[rHBa]

Seeing as it's just a phishing kit that runs on any PHP enabled server, no, only Windows users are a prerequisite, not the OS itself. (Also an email client that displays functional HTML forms helps).

Anything good ...

[jklovanc]

Anything good can also be used for bad. If we don't do things because it could end up being use for bad then we don't do anything.

Scammers always looking for a target

[GoodNewsJimDotCom]

Scammers are some of the scum of the Earth because they think it is okay to do evil to their fellow man if it benefits them monetarily.

I used to use dating sites. Laugh it up, you're allowed. I lost a true love to stupidity once. Anyway in the process of using dating sites for 3 years, I would only get about a 1/70 ratio of people I message. One girl came on strong with a pet nam and I was a little worried, but hey I'll talk with whoev until it gets weird. Anyway it culminates with her being stuck in

Re:

[Anonymous Coward]

What if God has someone for you and created online dating sites to hook you up?

Re:

[GoodNewsJimDotCom]

That's a possibility, but I'm just done with them for now at least.

Re:

[Swave An deBwoner]

He is not going to like that.

Re:

[GoodNewsJimDotCom]

Well He's God, He saw it coming. He isn't surprised.

Re:

[Haoie]

1/70? Ouch.

Call it hindsight but maybe you should've been more selective in who to contact. You may have been writing to all the wrong people who have nothing in common with you.

Good luck for the future.

Re:Scammers always looking for a target

[nukenerd]

Anyway in the process of using dating sites for 3 years, I would only get about a 1/70 ratio of people I message.

Is that 1 in 70 reply, 1 in 70 you meet, or 1 in 70 you get to do whatever? I was in a dating club (pre-internet - it was letter based). Got about 25% replies, met about 5%, further dates with about 2%, went steady (as it was called, not the same as a LTR) with 1%, married 0.2%.

Someone said you should have been more selective in who to contact. I started that way, looking for certain personalities, but got very few replies; then I just wrote to all that were in a 5 year age bracket and not taller than me (there were no photos in that club). Suprisingly, I got on very well with girls who were quite opposite to me - dimmer and more outgoing, including an ex- Bunny Girl (not as exciting as you might think). FWIW I was mentally stable, not nerdy, quite well off, and not all that bad looking - which is assumed to be what girls look for, but it cetainly isn't, not these days anyway.

one of the reasons for me stopping to use dating sites is that if God has someone for me, he'll hook me up

I never met any girl outside of dating clubs, and by "met" I mean to have a social conversation > 10 seconds. It remains a mystery to me how people meet each other any other way.

Re:

[nukenerd]

Wow, don't know where to start here - someone who has worked for dating sites too.

> Got about 25% replies

Bullshit.

I believe you are thinking of dating websites. I was clear I was talking about my experience on letter-based dating clubs, FWIW. Maybe some difference there.

You're not going to find 25% of a random sampling of women that are interested in men and go to the trouble to reply... As OkCupid proved only 20% of women find men on onine dating sites attractive. The odds .... are not 125% like you claim. That's impossible.

It was not a random sample of women. They were women who by joining the scheme had expressed a wish to meet a guy, and I mostly wrote to ones sounding suitable in terms of age, attitude, culture etc. I would not have written to one eg who said they only wanted a vegeta

Plan B

[DoofusOfDeath]

If you can't make a date with fraud, you should at least shake hands with danger [rifftrax.com].

(One of the funnier RiffTrax imho. Worth the purchase price.)