Phishing

Love bait: How AI-driven phishing scams are hijacking Valentine's Day

by James Dyer
Published on 12th Feb 2024

With Valentine’s Day just around the corner, it comes as no surprise that Egress’ Threat Intelligence team is starting to see an uptick in romance-based phishing attacks. In particular, they noted a staggering 43% increase in attacks impersonating well-established dating apps including Tinder and Hinge between January 1, 2024, until February 5, 2024, compared to 2023. This is only likely to increase as the day draws closer. 

Tinder is the most impersonated dating app, with just over half (53%) of attacks pretending to be sent by the brand.  

Quick attack summary 

  • Vector and type: Email phishing 
  • Techniques: Impersonation and sextortion 
  • Payload: Malicious URL and social engineering tactics 
  • Targets: Organizations in North America and the UK 
  • Platform: Microsoft 365 
  • Bypassed secure email gateway and native security: Yes 

Leveraging artificial intelligence and open-source intelligence (OSINT) to personalize the phishing emails, attackers are sending increasingly personalized impersonation attacks of well-trusted brands followed by sextortion attacks, in an attempt to extort money from the victim. 

When analyzing the initial impersonation attacks, the Egress Threat Intelligence team found that the top dating apps being impersonated included:  

  1. Tinder (53.25%) 
  2. Bumble (22.88%) 
  3. Hinge (14.46%) 
  4. thursday.com (5%) 
  5. match.com (3.57%) 
  6. Other dating apps (0.84%) 

Using the gender type set in Microsoft, the Egress team also noted that 85% of attacks had been sent to males, 10% to females, and 5% sent to other.  

What the attack looks like

Step 1) The initial impersonation attack 

In the attack analyzed below, the cybercriminal has sent a phishing email impersonating Tinder, using a highly stylized template that copies Tinder’s visual branding and tone of voice, which is intended to lower the recipient’s suspicion. The attacker has even included an email footer that is near-identical to Tinder’s legitimate footer, containing correct address, privacy policy, and social banners to make the attack more convincing. Using artificial intelligence to identify a recipient's location, the subject line reads ‘Someone from London matched with you on Tinder!’ which makes the attack more personalized to an individual and in keeping with Tinder’s location-based matchmaking.  

To increase deliverability, the attacker has also used polymorphic subdomains to subtly alter the end of the sending address on each phishing email. This makes it nearly impossible for security teams to block the phishing campaign based on sender address because even if they block one address, the next attack will be sent from another slightly different address anyway. This enables the phishing emails to get through technology that relies heavily on signature-based detection techniques, as many of the emerging sender addresses will not be on any known block lists.  

Additionally, polymorphic attacks typically take longer and are harder to remediate from within recipients’ mailboxes using traditional security measures, as individual PowerShell scripts need to be created for each phishing email. This increases the length of time a target is exposed to an attack.  

Consequently, these combined impersonation techniques have made the attack deliverable, convincing, and ultimately incredibly difficult for the recipient to identify as suspicious.  

Once the attack is in a target’s inbox, the cybercriminal’s intention is that the recipient will click on the malicious URL within the attack, which asks them to input their email address. This allows the cybercriminal to confirm which user has interacted with the phishing email and leads to the second stage of this multi-step attack.   

 Screenshot of phishing attack impersonating the dating-app Tinder with subject line: 'Someone from London matched with you on Tinder!’ 

Step 2) Gathering further information and sextortion attacks

If the attacker is successful in obtaining the victim's email address, a follow-up attack is launched with the intention of gaining more information about the victim that can be used at a later stage.  

It is likely the attacker will pretend to be another user of the dating app used in the initial impersonation attack and chat to the victim. The attacker may then be able to obtain personal information from the victim or push them to reveal compromising details.  

Using the information gathered, the cybercriminal will then launch a sextortion attack, like the one that can be seen in the image below.  

Screenshot of sextortion attack that uses social engineering tactics to extort money from victims, with anti-phishing banners added by Egress Defend.  

The email uses emotive and threatening language to socially engineer the recipient to extort payment into a bitcoin wallet, such as ‘RESPOND! It’s better for you’ and ‘I doubt you’d want your family, friends and co-workers to know about it’, suggesting information the attacker has received would ruin the victim’s life if revealed.  

Like similar sextortion attacks the Egress Threat Intelligence team has identified in the past, the attack follows the format of stating the problem, the threat, the ‘solution’, the deadline to comply, and why reporting it would be futile.  

Step 3) Extortion and follow-up attacks

If a search is made online for the bitcoin wallet referenced in the attack, it becomes apparent that funds are being transferred to it. However, even if recipients do not comply with the attacker’s demands, this is not the end of the story. The cybercriminal goes on to spam non-compliant recipients with ‘not-safe-for-work' emails, which continue to claim that they have crude information or photos of the recipient.  

In the example below, the attacker has included JPEG attachments which claim to be indecent images of the recipient.  

Screenshot of follow-up ‘not-safe-for-work' phishing email containing JPEG attachments, with anti-phishing banners added by Egress Defend. 

Egress Analysis

Using artificial intelligence to make attacks more convincing

The most common subject lines the Egress Threat Intelligence team identified when analyzing the attacks included:  

  • Someone matched with you on Tinder!  
  • Want to spend valentines with me? Message me back!  
  • Feeling lonely this valentines? Download Bumble today 😉 
  • Someone from <<INSERT LOCATION>> sent you a message on Tinder. 

Using an informal and conversational tone, these subject lines are very similar to legitimate emails from popular dating apps.  

However, the bottom subject line referencing location is the most interesting (and worrying). This is because it is likely cybercriminals have used artificial intelligence (AI) tools to perform an open-source intelligence (OSINT) search, identifying the location of the recipient from publicly available sources and data breaches to make the attack more personalized and, consequently, more convincing. 

At the beginning of 2024, the Egress team predicted the increased use of AI in attacks. Additionally, Egress’ latest Email Security Risk Report revealed that the use of AI within phishing attacks is keeping Cybersecurity leaders up at night, with 61% losing sleep over AI chatbots being used to create phishing campaigns. 

Social engineering techniques designed to lower recipients’ suspicions 

It is not a coincidence that we observed a surge in dating-app impersonation attacks around Valentine's Day. By exploiting a seasonal topic, attackers employ social engineering tactics to reduce recipients' suspicions regarding the authenticity of the initial impersonation email. Individuals may frequently receive Valentine-themed emails in January and February from legitimate organizations, meaning they are more receptive to such messages and attackers are able to blend in with the email traffic.  

It is also interesting that Egress data has identified males as the main recipient of this attack, with 85% of attacks sent to men in comparison to 10% sent to women. From this we can conclude that cybercriminals feel males are more likely to fall victim to romance-based impersonation attacks and will likely alter their messaging to suit a male audience.  

Identifying advanced phishing threats 

In this attack, the use of polymorphic subdomains will make it extremely difficult for technologies such as secure email gateways (SEGs) to detect individual emails within the campaign, due to their over-reliance on block lists to identify known threats. Additionally, polymorphic attacks are difficult to remediate from within inboxes using traditional security measures, such as PowerShell scripts, as a new script is usually required for every email. With significant time required for phishing emails to be reported by recipients and for administrators to write and deploy the scripts, attackers are hoping their emails will sit for long enough (or even indefinitely) within the inbox, maximizing the opportunity for targets to interact with them.    

Finally, the combination of high-level impersonation and social engineering tactics, including AI tools, means that individuals may find it very hard to identify the initial attack as a phishing email. As we can see from this campaign, the evolution of AI in phishing is only just beginning and organizations must adapt to protect their employees.  

Ultimately, identification and prevention of this type of advanced threat requires an intelligent anti-phishing technology that does not rely on any singular detection mechanism. Egress Defend takes a holistic approach to detection, using AI and zero-trust models and a zero-trust approach, and linguistic, contextual and behavioral analysis to detect and neutralize emerging threats like impersonation and zero-day attacks.