Is it a Quiz Scam? Is it Bad? Is it Back With a Vengeance?

The answer to all three questions would seem to be, "yes." Quiz scams have become widespread over the past year, but they’ve gone largely unremarked, researchers at Akamai have found. These involve scam sites that impersonate legitimate brands and offer users a fake prize in exchange for answering several questions and handing over some personal information. The scammers are abusing search engine optimization (SEO) to push their phishing sites to the top of search results.

“Akamai tracked 1,161 question quiz scam websites, which lured in more than 5 million victims across the globe,” the researchers write. “However, we had limited geographic data, which leads us to believe the numbers may be much higher, making this a potentially massive campaign in terms of scale and scope.”

Akamai found that more than 80% of these websites weren’t detected as malicious by public threat intelligence sources. The researchers believe this is because in most cases the scams are after more general personal and contact information, such as email addresses, names, and home addresses, rather than directly trying to steal victims’ credentials or deliver malware.

“The primary explanation that comes to mind as to why the detection rates are so low is that in many cases the scam is focused on information that isn't clearly valuable, or in some cases not viewed with a high degree of importance,” Akamai says. “As such, the problems are not mitigated. Enterprises are occupied by an onslaught of malware campaigns, data breaches, and web application attacks - constant high-priority fires that need to be put out - so it is easy to understand why scams that are focused on mostly non-sensitive information are forgotten about.”

The researchers stress that while this information seems harmless, it can be sold for use in more targeted social engineering attacks.

“Phishing has evolved from being focused solely on credential abuse and drive-by downloads to a more lucrative kind of attack where the stolen good can be personal information that's used in analytic and data markets or repurposed to more targeted malicious activities,” the researchers say. “Moreover, the internet also offers the ability to generate revenue via advertisements and the associated traffic to the scam websites. Once the threat actor's malicious activity becomes widely distributed, they're rewarded indirectly by the forces that drive the internet itself.”

Besides, whose business is it anyway to know all those things? And would it really be worth the toaster oven or the set of steak knives to answer those questions in the first place?

New-school security awareness training can give your employees a healthy sense of skepticism to help them avoid falling for these scams. Akamai has the story.