Free Gift Fallacy: How Attackers Harvest Credit Cards via Fake Surveys

Lead Analysts: Jeewan Singh Jalal, Dilsha Dines, Karthikeyan Dharmaraj

The classic 'survey reward' scam is back and hitting harder than ever. KnowBe4 Threat Labs is tracking a massive, high-volume campaign that is not only impersonating a wide array of trusted global brands across retail, logistics, and healthcare, but is using hundreds of newly registered domains (NRDs) and sophisticated psychological priming to fly past traditional security defenses. The result: attackers are harvesting high-value Personally Identifiable Information (PII) and financial data from unsuspecting users on an unprecedented scale.

Campaign Summary

• Vector and type: Email Phishing
• Techniques: Brand Impersonation, Social Engineering, Credit Card Harvesting
• Bypassed SEG detection: Yes (via rapid domain rotation)
• Targets: Organizations and consumers globally

Multi-Sector Brand Impersonation

The campaign utilizes a "spray and pray" approach, rotating through pixel-perfect templates of various household names. This diversification ensures that regardless of a victim’s shopping habits or service providers, they are likely to see a brand they trust.

Top Impersonated Brands Observed:

• Retail: Costco, Kroger, Harbor Freight, Tractor Supply Co., Sam’s Club, Dick’s Sporting Goods
• Travel/Auto: Marriott, AAA (American Automobile Association)
• Logistics: FedEx
• Financial & Health: EquityFirst Financial, BlueCross BlueShield

Image Phishing Lure: Sample email templates demonstrating the campaign's use of multi-sector brand impersonation to gain user trust.

The initial attack vector utilizes an email or SMS message lure promising a high-value incentive, such as premium electronics (e.g., iPhone, Apple Watch, Airpods, and Beats by Dre headphones), contingent upon the victim completing a short customer satisfaction survey. This tactic employs psychological priming and scarcity by often incorporating live countdown timers or claims of limited stock to induce immediate action.

The Attack Flow: Psychological Funnel

This campaign represents a sophisticated evolution beyond simple credential harvesting. Rather than immediately demanding a password, attackers use a multi-stage funnel designed to incrementally build trust through micro-commitments, exploiting the victim's sense of justification and reward.

Examples of landing pages created to trap the users with free gift scams.

The attack initiates with The Survey (Pretexting). The victim is presented with 10–15 brief, legitimate-looking questions regarding their experience with the targeted brand. This step is a form of labor that creates a psychological investment, convincing the victim that they have earned the high-value prize through their effort.

The funnel reinforces this belief with Social Proof. The reward landing page features simulated social media comment sections, displaying purported winners who claim to have already received their prizes. This manufactured credibility leverages human bias to overcome lingering suspicion.

The final stage is The Final Payment Lure. The victim is requested to pay a small delivery fee, typically $5.00–$10.00. This seemingly negligible cost legitimizes the high-value item, coercing the user into willingly entering their credit card and Personally Identifiable Information (PII) on the payment page.

The moment the user submits their payment details, the data is instantly exfiltrated to the attacker's command and control (C2C) infrastructure.

Example of the data exfiltration process, highlighting the immediate transfer of captured credit card details and PII to the attacker’s control C2C.

Technical Artifacts and Infrastructure

The campaign's success relies on a "churn and burn" domain strategy. Our analysis shows that attackers are registering hundreds of new domains daily to stay ahead of blocklists.

MITRE ATT&CK Mapping

• T1583.001 (Acquire Infrastructure: Domains): Automated registration of infrastructure to host harvesting kits.
• T1566.002 (Phishing: Spearphishing Link): High-volume email distribution using trusted brand lures.
• T1598 (Phishing for Information): Multi-stage surveys used to collect PII and financial credentials.

How to Stay Safe

This campaign highlights the evolving nature of social engineering, where attackers move beyond simple link-clicking to complex, multi-stage interactions. Securing the digital workforce requires moving from a reactive, 'training-first' approach to a Risk-First strategy. To defend against these threats, KnowBe4 recommends:

• Perimeter Defense: Implement advanced security controls to address infrastructure-level threats like newly registered domain (NRD) churn and high-fidelity brand impersonation.
• DNS Filtering: Implement policies that automatically flag or block Newly Registered Domains (NRDs) that are less than 30 days old.
• Critical Thinking: Remind users that legitimate corporations will never ask for credit card information via a third-party survey link to pay for a free reward.
• Risk-First Security Awareness: Leverage AI-driven, individualized training that prepares users for the complete spectrum of social engineering: phishing, vishing, and deepfakes. By using a dynamic Risk Score to deliver just-in-time coaching, organizations can ensure employees recognize the hallmarks of high-pressure social engineering tactics before they engage with the lure.

Indicators of Compromise (IOCs)

The threat landscape evolves rapidly. For the most current list of domains, hashes, and behavioral signatures related to this campaign, please refer to the latest intelligence update from KnowBe4 Threat Labs.

View the full IOC list on X: https://x.com/Kb4Threatlabs

For real-time updates and ongoing threat intelligence, follow the KnowBe4 Threat Lab analysts on X: @Kb4Threatlabs