They used to pretend to be prostitutes. Now, Tinder spam bots pretend to be football fans.
Spammers took to Tinder soon after the matchmaking app went mainstream in 2013, setting up automated accounts to message lonely bachelors with ads for porn and webcam strip shows, according to reports from security firm Symantec.
Initially, their approaches were fairly transparent, using profile photos of scantily clad women and simplistic automated chat bots that immediately mixed dirty talk with links to sleazy subscription sites.
"It's usually, 'Hey, if you want to talk further, go to this link on this website, and you can see all my pictures there,'" Satnam Narang, a senior security response manager at Symantec who's written about the phenomenon, told me.
Some spammers set up accounts for made-up sex workers, posting sultry photos overlaid with explicit price lists, along with fake escort service links actually pointing to porn sites and dubious premium dating services of the "hot girls in your area" variety.
Occasionally, they'd market more family-friendly products as well. A set of Tinder spam bots, masquerading as women to promote the mobile strategy game Castle Clash, drew media attention last spring after spamming users with the unlikely promise to date men who could beat them at the game.
But lately, many Tinder spammers' approaches have grown subtler. They've migrated from lewd photos and explicit language to more plausible, girl-next-door-style pictures. And they've programmed their bots to try to mimic a normal conversation, hoping to trick users into providing their phone numbers before they realize they've been had, security researchers say.
"They're just average pictures of your average girl that you would encounter on Tinder, so it's harder to differentiate, 'Oh yeah, that's clearly a bot.'"
"They're just average pictures of your average girl that you would encounter on Tinder," said Narang, "so it's harder to differentiate, 'Oh yeah, that's clearly a bot,' while you're swiping through."
The newer bots respond more slowly to messages than older automated accounts, which would often contact new matches and conspicuously send flirtatious messages faster than any human could type, Narang explained.
"Clearly these actors are finding new ways to modify their scripts, changing how quickly they respond to messages," he said. "It won't happen for about 50 minutes, 45 minutes, then [you'll] get the message."
And rather than sending explicit messages and advertising links through Tinder itself, the new generation of bots will open with a quick compliment or attempt at flirtatious banter, then send a phone number or Kik username and ask would-be suitors to send them a text, according to Narang.
"If you message them through SMS, that's when they'll actually go through their scripted conversation, talking about how they want to go on an adult webcam site," he said.
Pindrop Security, which monitors online reports of phone fraud, said in an October blog post that it had seen increased numbers of Tinder-related text spam complaints, which it suggested might be the result of better spam detection by Tinder itself. Tinder didn't reply to requests to comment for this article.
Valerie Bradford, a Pindrop product marketing manager who contributed to that blog post, said one trend they do see with heightened online security, but that isn't necessarily exclusive to online dating hubs, is that "a lot of scammers will take the same scams to the phone channel."
While Pindrop's post cites a user report of an obvious bot sending its phone number in the first message, many do take a more measured approach. In one interaction posted to the Tinder subreddit just before the Super Bowl, a bot opened with a seemingly reasonable icebreaker, asking "Patriots or Seahawks?" before trying to move the conversation off the platform.
"I like you," the bot wrote, after complaining about a cheating ex. "Text me?"
Even that approach may seem simplistic, but spammers wouldn't keep targeting Tinder users if they weren't making money, said Narang. They typically include custom referral codes in the links they send and get paid for sending new users to the sites they're promoting, he said.
"If you can convince the person to actually sign up with a credit card for a premium service, that's how you get the big bucks," with some sites offering up to $6 per new registration, he said.
And since the proprietary protocol that connects Tinder's iPhone and Android apps to its servers has been widely documented—tech entrepreneur Yuri de Souza published code last summer that he used to automatically swipe right on all of his potential matches—spammers can build bots from open source code mimicking Tinder's internal interface or buy various commercial bots advertised online.
Take TindBot. Available for $95, "TindBot can be used by individuals wanting to meet more people, nightlife promoters trying to message a bunch of people in an area or businesses who want to communicate with young locals," according to the product's website. TindBot didn't respond to requests for comment.
And on various less-than-savory internet marketing forums, spammers trade tips for steering clear of Tinder's spam detection systems and not raising users' suspicions.
"Dont respond to msgs [sic] all at once or immediately; you will get busted pretty quick," wrote one forum user named cygon, who also advised spammers to flesh out their bots' accounts with photos and written profiles.
"Spend some time to make your bot more personal," cygon wrote. "Your conversions will skyrocket. Once a guy gets feels a little emotionally involved he will go above and beyond to get a date. Remember—most your leads/conversions will be from beta guys who are desperate to get their dicks wet."
This story is part of Motherboard's Sex Ed Week, a series of sex-focused science and technology stories. Check out more stories here.