The Geography of Online Dating Fraud
Total Page:16
File Type:pdf, Size:1020Kb
1 The Geography of Online Dating Fraud Matthew Edwards∗, Guillermo Suarez-Tangily, Claudia Peersman∗ Gianluca Stringhiniy, Awais Rashid∗, Monica Whittyz ∗Cyber Security Group, Department of Computer Science, University of Bristol, UK yInformation Security Group, Department of Computer Science, University College London, UK zCyber Security Centre, WMG, University of Warwick, UK Abstract—This paper presents an analysis of online dating their site via known web proxies and similarly allocated IP fraud’s geography. Working with real romance scammer dating blocks. There are however limitations to the effectiveness of profiles collected from both proxied and direct connections, these countermeasures, with privately hosted or intentionally we analyse geographic patterns in the targeting and distinct characteristics of dating fraud from different countries, revealing disguised proxies escaping the checks of proxy listing services. several strong markers indicative of particular national origins The real location, even at a national level, of the creators of having distinctive approaches to romance scamming. We augment the scam profiles is of interest both to law enforcement and IP geolocation information with other evidence about the dating for other preventative efforts – not only for the purpose of profiles. By analysing the resource overlap between scam profiles, identifying that a given profile is a scam, but for following up we discover that up to 11% of profiles created from proxied connections could be assigned a different national origin on with appropriate countermeasures once a significant origin of the basis of text or images shared with profiles from direct scams has been identified (e.g., contacting local law enforce- connections. Our methods allow for improved understanding ment, funding targeted preventative campaigns). This paper is of the origins of dating fraud, beyond only direct geolocation the first study we know of to address this topic. of IP addresses, with patterns and resource sharing revealing In this paper, we use a dataset of real online dating scam approximate location information which could be used to target prevention campaigns. profiles which includes profiles created via both proxied and direct connections. We set out to answer the following research questions: I. INTRODUCTION • Where does dating fraud come from? What does IP The online romance scam is one the most prevalent forms of geolocation evidence tell us about the origins of profiles mass-marketing fraud in many Western countries. False dating created via direct connections, and how does this connect profiles are created by scammers as a prelude to a sustained to the locations given in the profiles? false romance, during which the target is repeatedly defrauded • Do profile elements get reused internationally? Does of large sums of money. The impact on victims in terms of reuse suggest different origins for dating profiles? Can both monetary loss and emotional harm can be substantial. we complement IP geolocation by examining profile However, technical analysis of the methods used by these elements being reused between unproxied and proxied scammers remains sparse, with few quantitative analyses of connections? attacks and attackers. • Does dating fraud from different regions present Previous work has explored victim understanding of the different characteristics? Do countries tend towards scam process in interview settings [1], text reuse in romance certain forms of romance scam in a distinctive manner? scammer approaches via Craigslist [2] and strategies deployed In Section II below, we describe the available data, and note in an anonymous Chinese dating site [3]. A major unaddressed its limitations. In Section III below, we outline the significant hurdle for combatting this fraud is understanding its true origin countries within the SOURCE dataset, and the national global origins, as misrepresentation of location is common. locations those profiles present. In Section IV we look at Uncertainty about location and international legal obstacles text and images being shared between romance scam profiles, can hinder investigation and prosecution. and what these patterns suggest about the PROXY dataset. The locations scammers give in their profile are typically In Section V, we examine the major scam origin nations regarded as being as false as the profile picture, calculated to to identify patterns in other elements of the profiles, before attract the interest of their targets [1]. Dating sites record the concluding in Section VI with a discussion of the policy IP addresses used by scammers in creating and accessing their implications of this analysis. profiles, and may compare those addresses to blacklists or use the IP geolocation (especially when compared to the profile’s II. DATA SOURCE declared location) to inform a judgement about the likelihood The data used in this paper comes from a public online that a profile is genuine. In response, most scam profile dating scamlist maintained at scamdigger.com, which offers authors make use of web proxies to disguise their IP address up romance scammer profile data for public awareness. An connection information, and so they appear to be using a exhaustive collection of the 5,402 scam profile instances, as connection from the location given in their profile information. collected during March 2017, was examined with respect to Dating sites are predictably countering by banning access to two sources of geographic information: 2 1) The location given in the scammer dating profile infor- these types of fraud. The next largest origins, Malaysia and mation. South Africa, are also well-known for producing other forms 2) The IP address used to create the profile, as reported by of internet fraud. All of the listed nations score below 50 the dating site. on the 2016 Corruption Perception Index [6], except for the Other profile elements of note include the age, gender, United States and the United Kingdom, suggesting these may occupation, marital status and self-description, which are be unusual cases. analysed in detail in related work. Of the two sources of geographic information, the former was recorded as a string, Nation Count Proportion often specifying location to a city level. This was geocoded 1 Nigeria 488 0.302 2 Ghana 216 0.134 to lat/lon coordinates and a standard format through queries 3 Malaysia 178 0.110 to the Open Street Map’s Nominatim service1. For the sake 4 South Africa 140 0.087 of brevity, the locations given in profiles are referred to as the 5 United Kingdom 86 0.053 6 United States 57 0.035 presented locations. 7 Turkey 50 0.031 The IP address information was mapped to a location 8 India 47 0.029 through the use of a geolocation service 2, providing both coor- 9 Togo 41 0.025 10 Senegal 40 0.025 dinates and structured address information. Some 368 records 11 Philippines 29 0.018 contained no IP address information and were excluded, 12 Ukraine 28 0.017 leaving 5,194 profile instances. Of the IP addresses used, 13 Russia 24 0.015 14 Ivory Coast 23 0.014 many (67.9%) have been identified as known web proxies or 15 Kenya 22 0.014 VPN end-points by the dating site, raising doubts about the reliability of the inferred geographic location. For this purpose, TABLE I: The SOURCE countries for > 20 scam profiles we separate the data into the SOURCE (i.e., un-proxied users) and PROXY (i.e., proxied users) subsets, of 1,666 and 3,528 Figure 1 plots the major scam origins against their profile’s profiles respectively. It is possible that IP addresses from presented location, as directional arrows weighted by volume the SOURCE dataset are in fact unknown proxies, perhaps of scams. The United States is the location most commonly shared secretly amongst criminals, and similarly, it is possible presented in dating profiles, at 63% of the SOURCE dataset, that PROXY users are only masking their specific connection followed by the UK (11%), Germany (3%) and Canada (2%). information rather than their national origins. We address these As presented locations are usually indicative of the victims’ possibilities below as they touch upon our results. nationality, we can understand the data as reporting that Some important limitations of the data source must residents of the US are the major target of romance scams, be acknowledged as context for our analysis. Firstly, the followed by those of other western nations. scamdigger.com site is primarily a scam-list for profiles sub- Africa: Most African sources focus their attention on the mitted to a particular dating site, datingnmore.com, which major western targets reported above. A notable exception reviews submitted profiles with particular focus on online is a cluster of profiles from Ghana which appear to report dating fraud, and lists those identified as scammers either at their location accurately. This may be a simple reaction to a registration or after interaction with members. The profiles scam-detection methodology which uses mismatches between presented are thus those of scammers that attempt to target presented and IP-geolocated locations3; or could represent a this particular dating site, which may be a source of unknown more ‘honest’ scam format aimed at extracting funds through bias. As with almost all criminal data analysis, these are also straight seduction. A similar but smaller group appears in those dating fraud profiles from scammers who have been South Africa. Other exceptions include a small cluster of pro- identified or caught, and it is possible that they are not rep- files from South Africa and Ghana which present their location resentative of a more skillful subpopulation, which could also as Iraq and Afghanistan. These are classic “military scam” be geographically biased. The former issue could be explored profiles, purporting to be members of the US military stationed further through comparison with statistics from other dating overseas. A small number of Nigerian profiles present their sites, where they can be persuaded to release this information.