Love-GPT: How “single ladies” looking for your data upped their game with ChatGPT
2024-3-5 07:17:34 Author: decoded.avast.io(查看原文) 阅读量:17 收藏

Have you ever wondered, looking at a profile of a potential dream match on a dating platform, who is actually sitting on the opposite side of the screen? Will they look the same when you meet? Did they change something in their bio to make them sound more impressive? Do they like the things they say they do? Or… do they even exist? 

Well, sometimes the answer is: No.  

We have discovered a tool (which is still being developed and improved) that provides vast functionality over several different dating platforms, providing the capability to create fake accounts, interact with victims, bypass CAPTCHA, anonymize the access using proxies and browser anonymization tools, and more. The author is also experimenting with ChatGPT, the now-famous text-based generative AI, to provide them with more streamlined and believable texts. Because of that, we decided to name the tool Love-GPT

Overview

According to our data, the history of the tool goes back at least a decade. Its functionality was iteratively improved over time, adding newer dating platforms as they became more popular, as well as anonymization techniques, and interaction methods. The program contains several Vietnam-related strings, functions, and other references, and we attribute the author to be Vietnamese. 

In this blogpost, we will describe a version from 2023-06-06 (compilation date) with the main module version 347. Note that the tool contains different modules: for example, this main version contains a 544th version of Account Control Center module. 

ChatGPT functionality was likely added to Love-GPT around March 2023 (likely 2023-03-30, main module version 326). 

All versions we’ve seen are programmed explicitly in VB6, provided as a form application. Historically, these variants of module names existed at least at some point in time: 

  • account_control_center_alive_monitor_START_HERE.exe 
  • pof_reload_monitor.exe 
  • ringtones_runas_launch.exe 
  • ringtones_runas_login.exe 
  • scan_phone.exe 
  • virtualbox_pof_reg_CONTROLER_MONITOR.exe 

The tool further requires several additional apps for the whole toolset to function properly. As we will demonstrate, all of these are used to support anonymization of the access to the dating platforms, using proxies, creating a large number of fake accounts, getting and writing emails, and interacting with users. 

We can peek into the main module of Love-GPT below. The module contains several functionalities for interacting with users, including reading inboxes (getting answers and emails), browsing information about matches (the platforms’ way of indicating interest in the other user), sending likes, storing active cookies in a database, changing used proxy, and much more. There are also three different ChatGPT buttons providing a ChatGPT text generation functionality to the interactions.

The main module of Love-GPT

In total, the tool contains 58 different application forms, and it is out of the scope of this blogpost to list and describe all of them. However, we would like to show an additional one below, since it is essential for the whole toolset: the Account Control Center module. 

This module serves as a main hub for creation of fake accounts for all the supported dating platforms. It also supports scraping photos from the platforms, downloading HTML content about any visited page, using PowerTCP to extract cookies, using Multilogin, ProxyRental, Luminati, MountProxy tools for anonymization, and more. The tool also has a (weak) random generator for the new fake accounts’ passwords, and a random selector from a list of 1000 common US names. The built-in browser allows the operator to visually check the tool’s behavior, as well as manually interact on the visited page, when necessary, in case the automation is not enough.

Account Control Center with a build-in browser

Note that the tool we are describing here is huge and we might have missed some important aspects in its functionality or omitted them since they are out of scope for a single blogpost. We are still investigating parts of the program and they might be the subject of a follow-up blogpost(s) in the future.

Fake profiles and data harvesting

Database

As we already mentioned, the main goal of the tool is to create fake profiles on several dating platforms and to store/scrape data from the interactions with the platforms’ users, including their profile pictures, profile body texts, dates of communication, etc. 

In order to be successful in this goal, the tool uses three large databases, called CL Harvest (CL_db_harvest_db), pof_db (as of Plenty of Fish database), and gmail_db, to store a huge variety of information. Since all the databases are intertwined, likely because of historical reasons, we will from now on refer to them as a single database to simplify the analysis. 

The tool uses a Microsoft SQL Server as a database, orchestrating the communication using SQL Server Native Client (provider SQLNCLI10) from inside the program.

Login screen to access the local database with author’s default credentials

Stored information

Currently, the database structure contains approximately 180 different database tables in total (note that the number differs depending on the versions of the tool). We would like to mention at least a few of them, providing interesting insights into what data is being collected or created. We believe none of them need further description.

Table name Note 
a_02_Okcupid_photo_db_scanned_from_okcupid  
a_02_Okcupid_photo_db_scanned_from_okcupid_age_group_1 Age groups are described later 
a_02_okcupid_about_text_db_age_group_3 Profile “about” description texts 
a_03_zoosk_replied_users  
a_07_ashley_accounts  
duyenso_create_fake_profile_current_setting DuyenSo is a Vietnamese dating platform 
email_addresses  
openai_chat_log  
openai_prompt_1st_contact_msg  
openai_prompt_ask_for_number  
openai_prompt_ask_for_number_for_OKCUPID  
openai_prompt_ask_for_number_INDIRECT_WAY  
openai_prompt_chat_template  
openai_prompt_profile_body_text  
pof_accounts_for_scan_new_users  
twilio_for_PVA_direct PVA states for “phone verified account” 
twilio_phone_for_dating_2018  
twilio_uk_mobile_number_database  
US_female_firstname_len_5 len” states for “length” 
US_male_firstname_len_5 len” states for “length” 
Table listing just a few table names from the database

Furthermore, the tool saves images from the dating platforms into several directories: 

  • C:\fb_dating_all_avartar_temp\ (mind the typo) 
  • C:\fb_photo_set_temp\ 
  • C:\PIC for POF\BIG STORE\
  • C:\twoo_scanned_photo\ 
  • E:\FB dating girls photo by city\ 
  • F:\5K Female photos by hair color\ 
  • E:\temp_okcupid_downloaded_photo\ 
  • G:\duyenso_pics_from_pof
  • G:\duyenso_pics_from_pof_girls\ 
  • G:\duyen so acc photo - ready to up - girls\ 
  • G:\duyen so acc photo - ready to up - man\

Age groups

The tool categorizes the users into four different age groups: 

Age group Age range 
30-37 years 
37-49 years 
49-60 years 
No group None of the above 

This serves as a filtering option, and it also shows what ages are interesting for the author/operator. We suppose this is due to the fact that the author is most likely using the stolen information to create further fake accounts. The age group might be an important aspect for setting up the fake age properly, especially with photos. 

Targeted dating platforms

We have identified 13 different dating and social discovery platforms that the tool interacts with, as of the 2023-06-06 analyzed version. The list of the dating platforms can be found below:

Dating platform Note 
Ashley Madison  
Badoo  
Bumble  
Craigslist Interested in “Personal” / “cas” section – “casual encounters” 
DuyenSo Vietnamese dating app 
Facebook Dating  
likeyou.vn Vietnamese social network and dating platform 
MeetMe  
OkCupid  
Plenty of Fish  
Tagged  
Tinder  
Zoosk  

The tool has several steps it takes in order to create the fake accounts, following the process of registering on the platforms. This often involves getting through CAPTCHA, verifying phone numbers (PVA), and creation of fake email addresses, usernames, and passwords. All these steps are performed by the tool, seeking the most automatic process possible. If any of the automations fail, the tool also contains a built-in browser that allows the operator to perform the steps manually. 

Note that Craigslist discontinued the “Personal” section during the FOSTA-SESTA acts in 2018 and we consider this functionality obsolete and not used in the program anymore. 

Historically, Love-GPT was interested in other dating sites/social platforms, too. For example, we could find traces of Twoo, Oodle, and Fetlife. These platforms, however, don’t have proper functionality incorporated in the tool anymore.

Using ChatGPT

During 2023, the author started to use ChatGPT to generate new profile descriptions as well as other prompts to interact with the dating platforms’ users. The author uses a ChatGPT API token which is hardcoded in the binary. 

We estimate that the ChatGPT functionality started to occur around March 2023 (likely 2023-03-30, main module version 326) and it is still under development. Some parts of the functionality seem still like proof-of-concept, and we suppose they are not fully functional yet, with some of them proving more potent already. 

The functionality provides an interesting insight into the upcoming trend of using highly believable texts leveraging generative AI and large language models (LLMs). We can already see that tools misusing the generative AI platforms are emerging and this is likely one of the first in-the-wild examples how it can be misused by the bad actors. 

Overall, the tool contains these functionalities leveraging ChatGPT (both finished and under development): 

  • Create a fake profile description to be used on the dating platforms
  • Read the inbox on the dating platform and reply to messages 
  • Ask for a phone number 
  • Write a first contact message 
  • Chat from a template

In the current implementation, the tool uses these two ChatGPT models: 

  • text-davinci-003 
  • gpt-3.5-turbo

Request parameters

The tool uses different set of parameters for the performed tasks, influencing ChatGPT via its API to perform as needed. For example, parameters for creating a profile body, ensuring diverse and short texts, are as follows: 

  • "temperature": "1"
  • "max_tokens": "60"
  • "top_p": "1"
  • "frequency_penalty": "0.5"
  • "presence_penalty": "0"

Note that for other prompts, temperature = 0.5 is usually used as well, scaling down the randomness. 

The tool uses “prompt” values in the API requests’ body to generate the output. In some of the cases, the whole context is provided to guide ChatGPT for the more precise results:

Just for the sake of demonstration, this is what ChatGPT usually returns for similar prompts:

The detailed description of the parameters available in the ChatGPT API can be found in the official documentation

They tool to win

Love-GPT uses a large set of additional tools and components to stay hidden/anonymize its interaction with the dating sites and their users. It also contains additional components for it to operate, using communication tools and protocols, Android emulator, and OCR for CAPTCHA bypass.

Staying anonymous

The tool needs to use real-looking, fake request fingerprints to reliably access the dating platforms. Otherwise, the platforms could detect such activity and suspend/ban the accounts or bombard the access with CAPTCHAs and other anti-crawler safeguards. 

Below, you can find a list of the anonymization tools being used, with a short description. 

Tool Short description 
AdsPower Anti-fingerprinting tool using virtual browser profiles 
FraudFox Virtual machine and a tool for user-agent and device spoofing 
Identory Anti-fingerprinting browser platform, creating unique identities for any site 
Kameleo Anti-fingerprinting browser platform using virtual browser profiles 
Luminati Proxy network, allowing anonymity for data collection and web scraping 
MountProxy Residential proxy provider 
Multilogin Anti-fingerprinting tool using virtual browser profiles 
ProxyRental Residential proxy and dynamic IP provider 

To summarize, with this artillery, Love-GPT stays under the radar because no one can effectively distinguish connections coming from this specific tool and other regular users accessing the platforms. 

Communication components

Love-GPT can communicate with the users directly on the dating platforms. Because the platforms usually need to verify its users using unique email addresses or even require a PVA accounts (phone verified accounts), the tool has a complete email and phone number management. To achieve this goal, it uses these services and tools: 

  • Email services – Gmail, Yahoo 
  • PowerTCP
  • Pinger 
  • SMSpva (smspva.com
  • TextFree 
  • TextNow 
  • Tropo
  • Twilio

SMSpva is a service for obtaining temporary phone numbers. Along with TextFree, TextNow, Twilio, and others, the toolset provides a convenient way how to enable receiving the SMS verification codes for PVA registration. 

The tool is also able to analyze and send emails from the created Gmail or Yahoo accounts’ inboxes, as well as forwarding emails to different addresses. 

Finally, Love-GPT also uses PowerTCP, or more specifically DartWeb.dll, to support network and communication-related traffic with the web.

Buying new domains

Love-GPT also has a system for buying new domains and making renewals of the already registered domains, including performing payments for the domains. Historically, this was being performed using Entropay. However, since Entropay’s consumer product was discontinued in 2019, we suppose the Love-GPT’s operator switched to some other similar consumer-based service, but that is not reflected in the code – virtual credit card information is stored on the author’s local database, not in the binary. 

The main purpose for this functionality is to set a domain forwarding through the registered domains. To achieve this, the tool uses an API to check the required domains availability, checking the auto-renewal options, as well as setting up the forwarding: 
https://api.name.com/v4/domains/ 

Android emulation

Since some of the platforms are mobile based, for example DuyenSo or the Facebook dating app, the tool uses LDPlayer to emulate a proper behavior on the supported dating platforms. 

The tool also uses a shared folder for exchanging files between the emulator and the local filesystem, mostly for transferring photos: 

  • E:\LDplayer_shared_folder_for_fbdating\

OCR and CAPTCHA

Quite an effort was made in Love-GPT to bypass CAPTCHAs. It uses two different Optic Character Recognition (OCR) tools for capturing texts: 

  • OmniPage 
  • DeCaptcher 

Love-GPT has a dedicated panel, a control center, to orchestrate the CAPTCHA bypassing functionality. 

CAPTCHA Control Center

Future work

During our research, we have discovered multiple additional tools with similar purposes, some of them even likely from the same author who is behind Love-GPT. These vary from more broad scrapers to highly specialized, for example just focusing on Tinder. This clearly shows the trend of automation in this field and ChatGPT can be useful in streamlining the interactions to harvest further data from the victims than they would share otherwise. 

Hashes

Hash Compilation date 
8071dc3dc1e7814f644f2745bbebab8c159763a3605b3615847772851b3960ce 2023-06-06 
cf809afcad7a2054a8c39a84443579d0c9d81ddf0233164bf2a4214a39b6206c 2023-03-30 

文章来源: https://decoded.avast.io/threatintel/lovegpt-how-single-ladies-looking-for-your-data-upped-their-game-with-chatgpt/
如有侵权请联系:admin#unsafe.sh