Presentation is loading. Please wait.

Presentation is loading. Please wait.

OkStupid & Plenty of Phish Dating Bots for Social Engineering Attacks.

Published byLeonard Sims Modified over 6 years ago

Similar presentations

Presentation on theme: "OkStupid & Plenty of Phish Dating Bots for Social Engineering Attacks."— Presentation transcript:

1 OkStupid & Plenty of Phish Dating Bots for Social Engineering Attacks

2 About Me… Justin Hutchens Aliases - Hutch, Pan0pt1c0n, Gordo
Education – Masters in Information Systems Certifications – OSCP, GPEN, GWAPT Profession – Development, Information Security, Penetration Testing Wrote “Kali Linux – Network Scanning Cookbook” Languages – Python, Shell (PoSH or Bash), Mobile (Swift / Java)

3 How this all started? First, the security community invented “super passwords” Unfortunately, its really hard to remember that your password is =.voS`ShVf9(ge5{thd]{j2[N) This dramatically increased the need for password recovery.

4 How this all started? Help desks do not want to take on the additional load of the increasing password resets. Which is fine because companies didn’t want to pay for more help desk guys. This results in a dramatic increase in demand for self-service recovery solutions.

5 How this all started? The solution becomes “security” questions
But the security industry warns this is a bad idea

6 A “secure” compromise?

7 So I had an idea…

8 What is a bot? Automated computer program
Performs pre-defined actions on the Internet In this case, while masquerading as a human Hello?

9 An Age Old Story… Guy meets girl Girl Seduces Guy
Girl steals compromising secrets that jeopardize national security and sells them to Russia

10 And today? Still true… Only now the bar has been lowered SIGNIFICANTLY
Because now anybody can be the attractive seductress You only think you are talking to her

11 But actually talking to this guy…

12 Python libraries used? Cmd Mechanize Beautiful Soup
Mechanize Beautiful Soup

13 …so started scraping profiles

14 Apparently scraping profiles did more than just gather data
Logging back in to the bot account after scraping profiles revealed: 353 New Visitors 265 Profile Likes 181 New Messages

15 Gender Trials? Went about like you would expect… Ratio of messages and responses for women and men was approximately 100 to 1. >

16 Building a Better Robot
During early testing, learned: It is likely possible to minimize suspicion by enticing the victim to initiate conversation Will be exponentially more effective if targeting men with female bots What else can be done to “build a better robot”?

17 Fortunately, there were plenty of strategy guides

18 How to Date a Human if you are a Robot and don’t want the humans to know
Don’t use poor grammar and spelling Use more than one photo Don’t request to move to a different site Don’t return immediate replies Don’t be too good to be true Don’t return absurd or nonsensical answers

19 So where to get our robot from?
Options Considered: Clever-bot API Custom Build Fuzzy string matching Machine Learning Personality Forge Entire sub-culture of chat bot enthusiasts

20 Introducing Amanda20

21 Bot Controller Interface

22 How it works? Bot Controller Replace Substitute Name Age School State
Recovery Question 1 Recovery Question 2 Recovery Question 3

23 And the results???

24 Some caught on…

25 Some became amusingly hostile…

26 Some were bots themselves…
…though far less sophisticated

27 But mostly…it just worked

28 Target Identification
…so who are we talking to?

29 Two Different Perspectives
Indiscriminate miscreant Objective: Identify any user who provides needed information Approach: Begin with any victim and work backwards to identify Technique: Username Reuse or Image Reuse Advanced Persistent Threat Objective: Identify targets associated with a specific company or organization Approach: Identify target and then attack Technique: Google Dorking

30 Google Dorking

31 If all else fails…just ask
Hi, my name’s Alyssa. You seem interesting and I’d like to get to know you. But I’ve been in so many relationships with men who are lazy and can’t hold down a job. Hopefully that’s not you. Who do you work for, and are you on LinkedIn?

32 If you ask them…they will answer

33 How to Fix??? Dating Services (or any social communication platforms)
Implement bot detection/prevention capabilities (CAPTCHAS, rate monitoring) Companies DON’T use self-service reset portals on the Internet People Don’t be STOOPID

34 Github Repo? Find the code at:

35 Questions???

Download ppt "OkStupid & Plenty of Phish Dating Bots for Social Engineering Attacks."

Similar presentations

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
Linked In 101 Using Social Networking as Part of Your Job Search.

Linked In 101 Using Social Networking as Part of Your Job Search.
Recruitment Booster.

Recruitment Booster.
What is identity theft, and how can you protect yourself from it?

What is identity theft, and how can you protect yourself from it?
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Security for Internet Every Day Use Standard Security Practices and New Threats.

Security for Internet Every Day Use Standard Security Practices and New Threats.
Customer Service and Web Site Personalization Back to Table of Contents.

Customer Service and Web Site Personalization Back to Table of Contents.
Adriana Iordan Web Marketing Manager / Avangate Social Networking Media How the software authors should use it?

Adriana Iordan Web Marketing Manager / Avangate Social Networking Media How the software authors should use it?
How To Protect Your Privacy and Avoid Identity Theft Online.

How To Protect Your Privacy and Avoid Identity Theft Online.
Build Your Review Machine Putting it all Together.

Build Your Review Machine Putting it all Together.
MANAGING YOUR ONLINE PROFILE WHAT DOES THIS MEAN AND WHY SHOULD YOU CARE? Sarah Morris UT Libraries.

MANAGING YOUR ONLINE PROFILE WHAT DOES THIS MEAN AND WHY SHOULD YOU CARE? Sarah Morris UT Libraries.
How It Applies In A Virtual World

How It Applies In A Virtual World
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Safety On The Internet  Usage time  Locations that may be accessed  Parental controls  What information may be shared with others Online rules should.

Safety On The Internet  Usage time  Locations that may be accessed  Parental controls  What information may be shared with others Online rules should.
Social impacts of the use of it By: Mohamed Abdalla.

Social impacts of the use of it By: Mohamed Abdalla.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.
ZOOM Training Solutions New Product Training: Servicing Excel BI NOW.

ZOOM Training Solutions New Product Training: Servicing Excel BI NOW.
Pitfalls and Mistakes. Agenda Who We Are Social Media Today Pitfalls and Mistakes –Policies –Poor Decisions Online Reputation Accepting Random People.

Pitfalls and Mistakes. Agenda Who We Are Social Media Today Pitfalls and Mistakes –Policies –Poor Decisions Online Reputation Accepting Random People.

Similar presentations

Ads by Google