There is very little about phishing messages that is surprising. Often they appeal to the lowest form of intelligence in order to catch their target out, or use social engineering or clever tactics to trick people into gaining their banking details.
A new tactic that emerged this week uses the lure of a $90 credit for a recipient's participation in a survey on McDonalds. The email asks for five minutes to answer questions on the products, ensuring users ‘that we will not ask you about any personal information'.
So far this is quite a clever scheme, particularly as the website the email links to puts on a good show of quizzing the user about their favourite McDonald's food and drinks. In return for participation the $90 will be credited, meaning that banking details have to be submitted, with the user's driver's licence, credit card and CVV also required.
Chester Wisniewski, senior security advisor at Sophos Canada, who highlighted the threat, said: “I am always surprised that people think they can win $90 in a survey or that they may have won £3 million in a UK lottery they never entered. Doesn't anyone wonder how on earth McDonald's or the UK lottery got their email address in the first place?”
As we have highlighted with the ESPN Soccernet phishing campaign, it is now becoming less of a case of assuming people want to inherit tens of millions of pounds from an African prince or will want to watch a video of a celebrity in a compromising position, and more about a financial or voucher reward for answering a few questions about the Big Mac.
This particular phishing campaign has its flaws, such as the text in the email is in Cyrillic as a default character set, but what is concerning is how simple it is to miss, and how many will be fooled by it.