Is it a Quiz Scam? Is it Bad? Is it Back With a Vengeance?

quiz phishing scamThe answer to all three questions would seem to be, "yes." Quiz scams have become widespread over the past year, but they’ve gone largely unremarked, researchers at Akamai have found. These involve scam sites that impersonate legitimate brands and offer users a fake prize in exchange for answering several questions and handing over some personal information. The scammers are abusing search engine optimization (SEO) to push their phishing sites to the top of search results.

“Akamai tracked 1,161 question quiz scam websites, which lured in more than 5 million victims across the globe,” the researchers write. “However, we had limited geographic data, which leads us to believe the numbers may be much higher, making this a potentially massive campaign in terms of scale and scope.”

Akamai found that more than 80% of these websites weren’t detected as malicious by public threat intelligence sources. The researchers believe this is because in most cases the scams are after more general personal and contact information, such as email addresses, names, and home addresses, rather than directly trying to steal victims’ credentials or deliver malware.

“The primary explanation that comes to mind as to why the detection rates are so low is that in many cases the scam is focused on information that isn't clearly valuable, or in some cases not viewed with a high degree of importance,” Akamai says. “As such, the problems are not mitigated. Enterprises are occupied by an onslaught of malware campaigns, data breaches, and web application attacks - constant high-priority fires that need to be put out - so it is easy to understand why scams that are focused on mostly non-sensitive information are forgotten about.”

The researchers stress that while this information seems harmless, it can be sold for use in more targeted social engineering attacks.

“Phishing has evolved from being focused solely on credential abuse and drive-by downloads to a more lucrative kind of attack where the stolen good can be personal information that's used in analytic and data markets or repurposed to more targeted malicious activities,” the researchers say. “Moreover, the internet also offers the ability to generate revenue via advertisements and the associated traffic to the scam websites. Once the threat actor's malicious activity becomes widely distributed, they're rewarded indirectly by the forces that drive the internet itself.”

Besides, whose business is it anyway to know all those things? And would it really be worth the toaster oven or the set of steak knives to answer those questions in the first place?

New-school security awareness training can give your employees a healthy sense of skepticism to help them avoid falling for these scams. Akamai has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews