A proof-of-concept demonstration of a man-in-the-middle social engineering attack using fake Tinder profiles to intercept and manipulate conversations between strangers.
This article is part of the research and development effort conducted by HERT (Hacker Emergency Response Team). It is not a production tool for either attack or defence within an information warfare setting. Rather, it is a project demonstrating proof of concept.
Using our own Tinder profile, we are going to look for males within 2km. The attack will be too slow if you live in a big town and extend the range.
The initial target has to be a male, the attack is less likely to succeed if we pick a female. Men propose, women dispose…
We swipe left until we find our target. We will call him, Bob.
We have to make sure Bob is attractive or the attack will probably not work. If in doubt we can ask a female friend.
We take a screenshot of Bob’s profile pictures and write down his biography.
Now we’ll create a fake Facebook profile for Bob. We’ll use the same first name and the same age.
Then we register our fake Bob on Tinder.
Let’s swipe right and super like every girl within 2km. In a big town like London, this step can take ages. Luckily, we can use a Chrome Extension called Flamite by @mrP1ng which will auto-like everyone.
Pick an attractive match or a super like response. We’ll call our second target Alice.
We create another fake facebook profile and register her on Tinder.
We’ll limit the search to 2km and swipe right until we find the original Bob.
We super like Bob and wait patiently for a reply.
“[…] conversations initiated by a Super Like last 70% longer.”
Bob “Hello :)”
Success! Our fish has taken the bait.
This is called a man in the middle attack.
“In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.”
Bob “How are you?” => Fake Alice => Fake Bob => Alice
Alice “I’m fine. You?” => Fake Bob => Fake Alice => Bob
Bob “Always good :) Where are you?” => Fake Alice => Fake Bob => Alice
Alice “Shoreditch, you?” => Fake Bob => Fake Alice => Bob
Bob “I live next to Piccadilly Circus Any plans for tonight?” => Fake Alice => Fake Bob => Alice
Not only we can eavesdrop on the conversation of two strangers, we can also change their reality.
Let’s decide where they will meet!
We can add some spice.
At some point people exchange phone numbers and the Tinder convo stops. That’s not a problem..
We’ll need two SIM cards and two extra phones.
Register both phones for Messages, Facetime and Whatsapp… (we must not forget to add a profile picture for Whatsapp.)
When Alice or Bob exchange phone numbers… just substitute the numbers for the phone numbers you control.
That’s it, now we can relay SMS, iMessage, Whatsapp and even voice calls.
Relaying voice conversation is a bit tricky. The easiest solution is to reject the calls and only relay the voice mail messages. We can also answer the call and tell the person “can you just wait two seconds please?” Mute the call, call the other party and conference them with the speaker phones.
The simplest solution is to forward all incoming call but we won’t be able to eavesdrop anymore. If you are a tech, you can use two GSM cards and configure Asterisk, a free and open source communication server, to route and record the calls.
We can imagine all kinds of crazy scenarios… If we know Bob in real life and he’s cheating on his girlfriend, we can send her the logs or invite her to the same date. We could also play jokes to our friends and make them believe they have a really hot date.
Disclaimer: This article is for educational purposes only. This type of attack is illegal in many jurisdictions and violates privacy and identity theft laws. Do not attempt this attack in real life.
