Dozens of companies impersonated in evolving 'Three Questions Quiz' scam

News by Bradley Barth

There's no question about it: the "Three Questions Quiz" is a scam, regardless of which legitimate brand it's attempting to imitate.

A new blog post from Akamai Technologies identifies 78 unique brands impersonated over the past year by a well-established online phishing scheme in which victims are tricked into giving away personal information to the owner of a malicious website, after supposedly winning a prize for answering three questions.

"The ability to abuse 78 different brands shows the scale and level of sophistication that these campaigns have," wrote report author Or Katz, principal lead security researcher at Akamai. "The wide usage of same toolkit, abusing 78 different brands by the same threat actors in many cases, implies coordination at scale, which isn’t something you see on a one-off campaign. Those responsible for these attacks are trying to impact as many as victims as possible with minimal effort."

Akamai studied the evolution of this scam by observing 689 "Three Questions" phishing campaigns targeting four industries: airline travel (32.34 percent of malicious domains, targeting 23 companies), retail (32.69 percent of domains, targeting 21 companies), food (27.94 percent of domains, targeting 21 companies) and entertainment (7.03 percent of domains, targeting 13 companies). Examples included Kroger, Dunkin’ Donuts, United Airlines, JetBlue, Target, Outback Steakhouse and Disneyland.

Although the fake quizzes are customised according to brand, they all have certain commonalities, starting with the use of free questions pertaining to the brand itself. They also tend to use language that incites the user to act quickly – for instance, suggesting that the offer will expire soon. And they employ phony social media profiles that appear to lend credence to the scam.

"These fake users appear on the phishing website as an integrated plugin for social networks, but what the user is actually seeing is embedded JavaScript code on the phishing site," wrote Katz. "These fake users are presented as a reference and supporting evidence of ‘others’ who have also won prizes after taking the quiz."

After participating in the quiz, the victims are told they will win a prize associated with the brand in question (for example, airline tickets), given that they provide some information about themselves. Victims are also required to share a link to the scammer’s domain using various social networking platforms, thus helping the scam spread across the internet.

"The social aspect to the quiz-phishing is a clever trick by the scammers, as such functions can be used to avoid some security controls, and it limits mitigation capabilities, since social networks applications are mostly used on mobile devices."

Akamai researchers also noted that the quiz has evolved over time to include automatic translation capabilities and new profiles for the fake social network system.

"We predict there will be more phishing campaigns using the same infrastructure and toolkits to deliver a highly scaled, customized set of campaigns using commercialized techniques to increase their impact," Katz wrote. "Similar to the advertising industry, where ad campaigns are targeting specific audience, phishing scams will try to target segments of population with the most relevant scam distributed over social networks."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop