There’s no question about it: the “Three Questions Quiz” is a scam, regardless of which legitimate brand it’s attempting to imitate.
Indeed, a new blog post from Akamai Technologies identifies 78 unique brands impersonated over the past year by this well-established online phishing scheme, in which victims are tricked into giving away personal information to the owner of a malicious website, after supposedly winning a prize for answering three questions.
“The ability to abuse 78 different brands shows the scale and level of sophistication that these campaigns have,” wrote report author Or Katz, principal lead security researcher at Akamai. “The wide usage of same toolkit, abusing 78 different brands by the same threat actors in many cases, implies coordination at scale, which isn’t something you see on a one-off campaign. Those responsible for these attacks are trying to impact as many as victims as possible with minimal effort.”
Akamai studied the evolution of this scam by observing 689 “Three Questions” phishing campaigns targeting four industries: airline travel (32.34 percent of malicious domains, targeting 23 companies), retail (32.69 percent of domains, targeting 21 companies), food (27.94 percent of domains, targeting 21 companies) and entertainment (7.03 percent of domains, targeting 13 companies). Examples included Kroger, Dunkin’ Donuts, United Airlines, JetBlue, Target, Outback Steakhouse and Disneyland.
After participating in the quiz, the victims are told they will win a prize associated with the brand in question (e.g. airline tickets), given that they provide some information about themselves. Victims are also required to share a link to the scammer’s domain using various social networking platforms, thus helping the scam spread across the internet.
“The social aspect to the quiz-phishing is a clever trick by the scammers, as such functions can be used to avoid some security controls, and it limits mitigation capabilities, since social networks applications are mostly used on mobile devices.”
Akamai researchers also noted that the quiz has evolved over time to include automatic translation capabilities and new profiles for the fake social network system.
“We predict there will be more phishing campaigns using the same infrastructure and toolkits to deliver a highly scaled, customized set of campaigns using commercialized techniques to increase their impact,” Katz wrote. “Similar to the advertising industry, where ad campaigns are targeting specific audience, phishing scams will try to target segments of population with the most relevant scam distributed over social networks.”