For the most part, hacks are destructive and loathsome. But there are times that hackers do things that just have to make you smile. Take, for instance, the time they took over the then Russian President, Dmitri Medvedev’s, Twitter account and tweeted that electricity was going to be banned, or the time hackers switched the Spanish Prime Minister’s picture for one of Mr. Bean.
There are a number of others that more or less qualify as internet pranks rather than true hacks. Of these, none gave me more satisfaction than seeing that watering hole for insecure narcissists, Beautifulpeople.com, shaken to its cosmetic foundations. This occurred when someone introduced malware onto the site that allowed 30,000, of what the company called, “less than aesthetically pleasing people” to become members. You see, usually it’s up to those already approved as members to decide whether new aspirants measure up to their high aesthetic standards. If you’re into the superficial, beautifulpeople.com is the site for you.
In any event, the so-called Shrek virus, caused considerable distress among the beautiful people. After all, they had a reputation to maintain. They certainly couldn’t allow these second or third ranked specimens of humanity to tarnish their glowing facade. Gandhis, Mother Theresas, and nuclear scientists need not apply. This is a site for form over substance and members wanted to keep it that way. But then the dilemma: What is the politically correct way to tell someone they’re ugly and can’t be on the site? After all, these 30,000 people who were malware-approved may have already been bragging to their friends about their baptism into the world of vacuous beauty.
In a master stroke of mixed metaphors, beautifulpeople.com managing director, Greg Hodge, stated that “we cannot just sweep 30,000 ugly people under the carpet.” Yeah, you’d need a pretty large broom and the intelligence of how to operate one. Hodge claimed they became suspicious when they suddenly received tens of thousands of new members over a six week period, “many of whom were no oil painting”. We must assume here that Hodge has some familiarity with oil paintings, such as Van Gogh’s self-portrait, implying that Van Gogh could have been a beautifulpeople.com member had he been able to apply.
But back to Hodge’s dilemma. He tried to soften the blow of rejection by saying that he felt “very sorry’ for these people “who believed, albeit for a short time, that they were beautiful”. He sent them all a “sensitive” and “carefully worded email” explaining the situation. The virus, Hodge claimed, came from a disgruntled employee who he accused of “planting the virus like an evil Easter egg”. (I think we are all aware of how evil an Easter egg can be.) He also said that he would set up a helpline with counselors to help those who have been assigned to the ugly bin. Of the 30,000 rejects, only 4,500 were sent the $25-a-month refunds, leading some to think that this all could have been a wacky PR campaign. Not a smart move, if true, since this may lead those insecure beautiful members to wonder if they were, in fact, beautiful after all. In this realm of uncertainty, they might decide to leave the site to find self-affirmation elsewhere.
This was not the first time this site had waded into the shallow waters of controversy, to use a metaphor. The site angered some by claiming Irish men were the ugliest in the world, with Irish women not far behind. Then there was the time the site tossed out 5,000 people for becoming ugly over the Christmas holidays by gaining too much weight.
Now, the main Shrek hack occurred in 2011. Since that time, critics have complained that the site is a scam and that it will let anyone on for a free trial, make them think they’re good looking, and, then, ask them to pay up. Once hooked, they hope the victim will keep paying that $25 a month and hang around to get their dream girl/guy. This may be why recently over 2000 Americans and over 500 Brits were thrown off the site for “letting themselves go”. This, according to the company, refers to weight gaining and “graceless aging”. Ejecting the less than attractive tends to quell fears that this site is not as exclusive as it claims. As one member wrote, “If the management failed to maintain the quality of the site by polluting the gene pool, most members would leave. It would make BeautifulPeople just like every other dating site – full of the kind of people you wouldn’t want to share an elevator with, let alone date.” (like those polluters of the gene pool, Gandhi and Einstein).
To be fair, regular, more conventional dating sites are also haunted by bots that sweep them to separate the pretty wheat from the attractively-challenged chaff. You can find these programs/bots everywhere on the internet and many of them are free. These bots troll the dating waters selecting potential dates and automatically sending them well-constructed messages asking for a meeting. According to one user, unfortunately, “your inbox will be flooded with messages from girls you have absolutely no interest in”. Match.com is now using facial recognition software to find you the specific kind of beauty you are interested in…but it comes at a price, $5000 to be exact.
Dating site wars are heating up and many are using less than ethical ways to attract members. The FTC has accused JDI Dating of using fake profiles to lure users into paying to join its sites. The victim would get a message from an attractive person, purportedly nearby, who wanted to talk to them but couldn’t until they joined the site. JDI Dating was charged over $600,000 for this scam. Yet, hackers are doing much the same thing using the mobile dating site, Tinder, as their launch pad. Bots are also targeting dating sites, trying to make people go to sites that they don’t really want to go, often by engaging them in short chatroom conversations. (You can short-circuit bots by asking them to solve a simple math problem; come to think of it, this strategy might also work on beautifulpeople members.)
From a security viewpoint, the Shrek hack on beautifulpeople.com was pretty simple. It must have been a variant on the like-jacking hack that is openly available to purchase on the regular as well as the deep web. (see my post on Social Engineering Attacks: Why Some of Your Friends are Non-Human ). Despite its simplicity, the attack was surprisingly successful because it took advantage of an isolated gene pool of tech challenged users. This led me to conclude that beautifulpeople.com is a site just waiting to be victimized. I think it could have been much worse for the beautiful people. They have all the earmarks of individuals who can be easily scammed with fake profiles and good phishing exploits. The site itself must also contain a wealth of personal information that could be used for identity theft or other criminal purposes. In fact, it is somewhat amazing that more of these dating sites aren’t routinely hacked.
Some have been. PlentyOfFish had the data from 30 million users exposed in 2011 and 42 million user records were compromised in a hack on Cupid Media. Russian dating site, Topface, had to pay a hacker to get its 20 million user email addresses back. They called it a payment to the person for exposing the vulnerability (yeah, sure). Eharmony had 1.5 million of its passwords hacked in 2012.
Security site, Netcraft, recently reported a sharp rise in scripts targeting dating sites. “The online dating sites targeted by the latest attack include match.com, Christian Mingle, POF (PlentyOfFish), eHarmony, Chemistry.com, SeniorPeopleMeet, Zoosk, Lavalife, amongst others. Only eight of the 862 fraudulent scripts on the server targeted banks.” These scripts are designed to steal usernames and passwords and emulate the actual user, making the attackers difficult to detect with website security. These fake accounts are run by real people, often members of a crime gang, who attempt to form an actual relationship with the victim and slowly use the trust they build as a platform to con them out of money. Barring that, they may threaten the victim with humiliation by releasing compromising pictures, unless they pay a fee. Site members could also become victims of ransomware attacks.
One-dimensional sites like beautifulpeople.com have targets on their backs. They announce their biggest vulnerability in the title of their site and restate it in their philosophic foundations. By using any fake but good-looking profile, a moderately intelligent attacker could maneuver a member into a compromising position that could make them, willingly or not, part with their money. But far worse from the financial loses, the victims may be psychologically devastated to learn that they were scammed by less than aesthetically pleasing people. Hodges should prepare for this by setting up a counseling hotline for those who find out the hard way that they were out-witted by people far less attractive than they are, and, by extension, forced to face the reality that intelligence and not beauty may be a more valuable component of the human gene pool.
Dating Site Scams can Affect Businesses
According to a recent survey, “More and more employees are spending time on dating websites than ever before. 59% of woman and 62% of men have admitted to spending time on the likes of Match, Tinder and OKcupid sites.” It is no stretch to think that dating sites could be used to target companies by manipulating employees connected to their networks. Security architecture must take this possibility into account. Employees require the freedom to do what they want online (within company restrictions) without compromising sensitive data. Hardware separation can be the answer to this dilemma. Check out InZero’s Workplay architecture for more details.