Ah, online quizzes. Many of us know that they can be somewhat dodgy and nonsense, really—but that doesn’t stop us from clicking the “Start quiz” button anyway. Besides, you have time to kill, and there are only three questions to answer, right?

The right kind of wrong

Phishing attacks don’t always start in your email inboxes anymore. Whether you’re on a desktop, laptop, tablet, or smartphone, there are several other vectors where users can encounter phishing attempts. And believe me, they don’t have a flashing neon sign that could easily alert users that they are after your personal information.

Phishers have been one of the most resilient cybercriminals out there to date. And Or Katz, principal lead security researcher for Akamai Technologies, has proven this point once again.

In a recently published white paper entitled “A New Era in Phishing—Games, Social, and Prizes” [PDF], Katz has confirmed what many of us have already long suspected: those short quizzes shared on Facebook, Twitter, and other social media platforms are scams. And behind them are sophisticated and coordinated efforts that were designed for prolonged user exposure to fraud campaigns.

Katz and his team have studied 689 customized phishing campaigns that banked on 78 popular names of brands across industries. These brands include United Airlines, Target, Disneyland, and Dunkin’ Donuts. All quiz-based phishing pages follow a templated format: They ask three questions and, once a user answers them—note that they don’t have to be correct—they promise quiz takers a prize associated with the brand they’re impersonating. For example, if the quiz is about Disneyland, quiz takers could potentially “win” free passes.

Quiz takers are then directed to a web page that asks for personal information—so they can claim the prize, of course—like their email address, physical address, and age.

The toolkit behind these “positive” phishing campaigns

Phishing kits are a staple to a serious phisher’s fraud arsenal. These nifty and reusable tools are popular in the underground market because they do most of the work with little effort from the scammers. It also makes phishing campaign creation a lot faster.

According to this accompanying blog post to the Akamai paper, the quiz-driven phish kits they studied use the following social engineering tactics to gain user trust:

  • A customized “brand” website, wherein they display logos and brands of trusted companies they use to lure in targets and get them comfortable to answer the quiz questions.
  • A call to action, wherein they create a sense of urgency, so the target would likely complete the quiz or give out information without thinking. One example of this is claiming that the high-valued prize can only be won by a limited number of quiz takers, so they need to get a move on.
  • Multiple fake endorsements in social media, wherein fake social network profiles are used to strengthen the legitimacy of the supposed brand’s offer. By showing the target that several people have already won and claimed the prize, the target would doubt less. It’s also required for the target to share the link to the quiz in social media channels—a classic survey scam.

Screen captures of sample sites using the same phish kit for the Three Questions Quiz scam (Courtesy of Akamai Technologies)

Other phishing campaign findings

  • The brands abused by phishers in their campaign are companies that belong to airlines, retail, and food and beverage industries.
  • 82 percent of the actual domains used in these phishing campaigns have leveraged typosquatting.
  • Newer versions of the phishing kit include added features, such as automatic translation—which makes the scam accessible to non-English speakers—and new fake social network profiles—which makes the scam more reliable and dynamic.
  • Phishing campaigns that use social networks are more effective compared to traditional phishing.

A new phishing campaign to watch out for

Akamai has predicted that phishing campaigns of this nature—or those that play on a positive aspect of instead of a negative one, as in traditional phishing—will only increase in the future. Instead of using scare tactics, phishers have now learned to exploit game mechanics and further tap into people’s curiosity and desire for freebies. In the process, phishers have made Internet users receptive to them, without users realizing it.

Users are advised to be more vigilant and critical when it comes to offers of freebies online, regardless of the form they are presented in, until they have verified that the offers are legitimate. While it may be fun to waste time on quizzes a contact happens to have shared on Facebook, it would be wise to give it a pass, and perhaps warn the poor fellow via PM that he might have been duped to give up his personal information to scammers.