Scammer of a Lonely Heart

It’s time for a risqué subject: looking for love on the internet. With a myriad services promising chemistry-driven matches, dating game contestants have flocked to web services and apps. Despite this proliferation of new avenues, those in a particular rush to find company (in the form of ‘No Strings Attached’ encounters) have turned to a more familiar and less regulated referral service, Craigslist.

Unfortunately, the probabilities of communicating with another human being are astronomically low thanks to the high saturation of bots and spamming services. The fake listings are almost exclusively targeted at a male audience interested in immediate availability and promise a multiple amenities for making fantasies come true. Upon responding to the listing, the user receives several staggered responses from different ‘women’ (including pictures) claiming that they’d like to meet, demanding pictures in return, and stating their less-than-demanding criteria for meeting up in person.

Bots eager to meet!
Bots eager to meet!

A cybercriminal’s motivation is almost exclusively monetary and this is no exception. Tapping into theprudent fear of meeting someone off of the internet for a private interaction, the user is directed to a custom ‘verification site’ where they are given the opportunity to prove their age and good intentions… for a fee.

Preference: Bot4Male, not B4B
Preference: Bot4Male, not B4B

As if passing themselves off as eager women weren’t enough, the cybercriminals employ other social engineering tactics like claiming a variety of well-known safety and security certifications as well as mainstream media exposure.

Just because you read it on the internet doesn't make it true
Just because you read it on the internet doesn’t make it true

Interestingly, while the spam emails are the same, the domains keep shutting down and being replaced by new ones, each designed with a similar template and registered under a whois privacy guarding service. These templates are being used for websites targeted at both U.S. and U.K. users.

As if paying 99 cents to arrange a non-existent meeting weren’t enough, there are reports that subsequent charges are made for embarrassing subscription services in amounts far surpassing the verification fee.

Knowing that these sorts of social engineering threats are best thwarted by the user’s judgment, Kaspersky Lab is committed to educating users to avoid high risk situations. There are several red flags one should look out for in this situation:

  • Scams like these skirt the edge of acceptable online interactions by emulating legitimate resources like social networks, displaying fake indicators of trust like secure website logos, or even claiming mainstream acceptance through would-be endorsements from recognizable news channels.
  • Similarly, users should be wary of ‘bot behaviors’, as in the case of email correspondences where replies are not cogent and do not flow naturally.
  • Finally, while the allure of meeting new people for quick encounters may be enough for some to set their better judgment aside, providing credit card information should always be a red flag when dealing with little known services of questionable intent.

You can follow me on twitter: @juanandres_gs

Scammer of a Lonely Heart

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox