What do online file sharers want with 70,000 Tinder images?

By Danny Bradbury

A researcher has discovered thousands of Tinder users’ images publicly available for free online.

Aaron DeVera, a cybersecurity researcher who works for security company White Ops and also for the NYC Cyber Sexual Assault Taskforce, uncovered a collection of over 70,000 photographs harvested from the dating app Tinder, on several undisclosed websites. Contrary to some press reports, the images are available for free rather than for sale, DeVera said, adding that they found them via a P2P torrent site.

The number of photos doesn’t necessarily represent the number of people affected, as Tinder users may have more than one picture. The data also contained around 16,000 unique Tinder user IDs.

DeVera also took issue with online reports saying that Tinder was hacked, arguing that the service was probably scraped using an automated script:

In my own testing, I observed that I could retrieve my own profile pictures outside the context of the app. The perpetrator of the dump likely did something similar on a larger, automated scale.

What would someone want with these images? Training facial recognition for some nefarious scheme? Possibly. People have taken faces from the site before to build facial recognition data sets. In 2017, Google subsidiary Kaggle scraped 40,000 images from Tinder using the company’s API. The researcher involved uploaded his script to GitHub, although it was subsequently hit by a DMCA takedown notice. He also released the image set under the most liberal Creative Commons license, releasing it into the public domain.

However, DeVera has other ideas:

This dump is actually very valuable for fraudsters seeking to operate a persona account on any online platform.

Hackers could create fake online accounts using the images and lure unsuspecting victims into scams.

Read more at https://nakedsecurity.sophos.com/2020/01/21/what-do-online-file-sharers-want-with-70000-tinder-images/

FBI seizes credentials-for-sale site WeLeakInfo.com

By Danny Bradbury

The FBI has seized the domain for WeLeakInfo.com, a site that sold breached data records, after a multinational effort by law enforcement.

Authorities have arrested two 22-year-old men alleged to have operated the site. Based in Fintona, Northern Ireland, and Arnhem in the Netherlands, they are believed to have made over £200,000 (about $260,000) between them from the site.

The Internet Archive’s Wayback Machine first shows WeLeakInfo.com surfacing in April 2017, advertising itself as “the Most Extensive Private Database Search Engine”.

The FBI and the District of Columbia explained that the site had harvested over 12 billion records from over 10,000 data breaches, including names, email addresses, usernames, phone numbers, and passwords. The site disclosed records relating to data breaches of sites including Chegg.com, StockX, Dubsmash, and MyFitnessPal.

Customers could subscribe to WeLeakInfo.com for as little as a day, paying a minimum of $2 in return for unlimited access. UK authorities also found links between the site and sales of remote access trojans (RATs) and cryptors (tools that obfuscate malware code to avoid detection). It was available both online and also via the dark web service Tor.

Read more at https://nakedsecurity.sophos.com/2020/01/20/fbi-seizes-credentials-for-sale-site-weleakinfo-com/

FBI to inform election officials about hacking attempts

By Danny Bradbury

File this in the “What? They didn’t do this already?” pile: The FBI has announced that it will tell local election officials when hackers try to infiltrate their systems. Now, when state actors rattle the doors on election systems around the country, the people responsible for operating them will get to hear about it.

This year is shaping up to be the most challenging yet when it comes to election security. In 2020, cyberattacks against the US election will be more sophisticated than they were in the run-up to the 2016 vote. So said Shelby Pierson, the election security threats executive for the Office of the Director of National Intelligence, speaking at an Election Assistance Commission event earlier this month.

It’s probably a good idea, then, for the FBI to warn local and state election officials of hacking attempts, and last week, it announced just that.

For those of you wondering why the FBI wasn’t doing this already, the problem thus far has been the fragmented nature of the US election system. Each state has a chief official in charge of elections, but local governments and officials own and operate election systems on the ground.

Read more at https://nakedsecurity.sophos.com/2020/01/20/fbi-to-inform-election-officials-about-hacking-attempts/

Teen entered ‘dark rabbit hole of suicidal content’ online

By Lisa Vaas

You’re fat. You’re worthless. You don’t deserve to be alive.

Those are the kind of comments left on social media posts as innocent as a picture of a flower, as Sarah Lechmere – who has struggled with eating disorders – told the BBC. Social media posts also pointed her to pro-anorexia sites that gave her “tips” on how to self-harm, she said.

This is precisely why UK psychiatrists want to see social media companies forced to hand over their data – and to be taxed into paying – for research into the harms and benefits of social media use. The report, published by the Royal College of Psychiatrists, contains a forward written by Ian Russell, the father of Molly Russell, a 14-year-old who committed suicide in 2017 after entering what her father called the “dark rabbit hole of suicidal content” online.

Ian Russell describes how social media’s “pushy algorithms” trapped Molly, sequestering her in a community that encourages suffering people not only to self-harm but to also avoid seeking help:

I have no doubt that social media helped kill my daughter. Having viewed some of the posts Molly had seen, it is clear they would have normalized, encouraged and escalated her depression; persuaded Molly not to ask for help and instead keep it all to herself; and convinced her it was irreversible and that she had no hope.

… Online, Molly found a world that grew in importance to her and its escalating dominance isolated her from the real world. The pushy algorithms of social media helped ensure Molly increasingly connected to her digital life while encouraging her to hide her problems from those of us around her, those who could help Molly find the professional care she needed.

Ian Russell backs the report’s findings – particularly its calls for government and social media companies to do more to protect users from harmful content, not only by sharing content but also by funding research with a “turnover tax” that will also provide training for clinicians, teachers and others working with children, to help them identify children struggling with their mental health and to understand how social media might be affecting them.

Read more at https://nakedsecurity.sophos.com/2020/01/20/teen-entered-dark-rabbit-hole-of-suicidal-content-online/

Facebook and Instagram ban alleged ‘brainwashing’ service

By John E Dunn

Updated to include response from Elliot Shefler.

Have you ever tried to persuade a friend or family member to do something they don’t really want to?

Not easy – the person being persuaded knows you’re trying to persuade them, which makes them more likely to question your motives and resist.

Now imagine there was a way to persuade that individual to agree with your wishes by feeding them advertising on your behalf without them being aware that’s happening.

It’s the principle on which a lot of internet advertising is based, which presumably is where the idea for a startup service called the Spinner came from.

Just as conventional advertising tries to target groups of people, so the Spinner personalizes “subconscious influencing” for a specific person and no one else.

Cease and desist

Facebook and Instagram have just banned the service from their platform.

According to the BBC, Facebook is so hostile to the Spinner that it’s even sent the company a formal cease and desist.

The problem? Facebook’s letter accuses the Spinner of targeting its users via fake accounts and fake pages, activities which violate the company’s ad policies. A Facebook spokesperson told the BBC:

We have no tolerance for bad actors that try to circumvent our policies and create bad experiences for people on Facebook.

Read more at https://nakedsecurity.sophos.com/2020/01/20/facebook-and-instagram-ban-alleged-brainwashing-service/