Tinder spam campaign hides "handwritten" links in profile images

A new trend has emerged on dating apps like Tinder with spammers sneaking in links within profile images.

Multiple such Tinder spam profiles reviewed by BleepingComputer shared some common characteristics.

For example, nearly every profile had an image of an attractive person followed by another one showing an NSFW domain handwritten on a placard.

Spammers abuse profile images to promote spam domains

In a recent trend observed by BleepingComputer, a noticeable number of fake dating profiles have flooded Tinder.

These serve no purpose other than luring users in to visit spam links—leading to third-party dating or NSFW websites.

However, unlike with other dating apps, where spammers send unsolicited links to users via direct text messages, this slightly more clever technique abuses profile pictures to sneak in images of handwritten domains within them.

These fake Tinder profiles, seen by BleepingComputer, comprised mainly two profile pictures.

The primary profile picture is often that of an attractive person, followed by a second image with the spam domain inscribed on a placard or piece of paper, as shown below:

Moreover, a provocative bio text is yet another hook to lure the user into visiting the NSFW links.

What makes this trend going is that such custom-made images containing handwritten versions of links would be much harder to automatically detect or remove en masse.

Searching profiles for text strings representing malicious domains (e.g. in user's bio) automatically is a far easier job for any AI.

Dating apps continue to battle growing spam

Although Tinder might be a victim of this new trend, popular dating apps continue to battle the problem of growing spam and fake profiles.

For example, in the past few weeks, Grindr users have been receiving unsolicited links via direct messages from "blank" profiles that typically have no bio or a profile picture:

Other than being an obvious nuisance, such practices by malicious actors, and the very presence of fake profiles on online dating apps, pose serious risks to the safety and privacy of legitimate users.

In Grindr's case, however, because spam messages are often strings, it would likely be much easier for the company to sweep for and remove such text messages automatically.

In March this year, the company had said:

"Grindr is fighting and banning spam non-stop, 24/7, 365 days a year. Spam is our most reported and banned category."

"The fight against spammers, particularly on an instantaneous chat service where users seek significant privacy, is a big challenge," said Alice Hunsberger, Grindr's Senior Director of Customer Experience.

Using automation, Grinder states that it strives to detect and remove spam proactively, eliminating the need for the user to manually report it—although spammers have often remained a step ahead.

"We use a number of systems in the fight, including a new AI-powered service that helps us detect 'non-human' usage of Grindr."

"Though we are constantly surprised how often we find users with the amazing ability to behave like a machine," further explained Hunsberger.

Users on dating apps should refrain from visiting dubious links and ideally report spam profiles to keep online dating communities safe for everyone.

BleepingComputer reached out to Tinder and Grindr for comment well before publishing this article but we have not heard back.