Threat Management, Malware, Network Security, Phishing

Dozens of companies impersonated in evolving ‘Three Questions Quiz’ scam

There's no question about it: the "Three Questions Quiz" is a scam, regardless of which legitimate brand it's attempting to imitate.

Indeed, a new blog post from Akamai Technologies identifies 78 unique brands impersonated over the past year by this well-established online phishing scheme, in which victims are tricked into giving away personal information to the owner of a malicious website, after supposedly winning a prize for answering three questions.

"The ability to abuse 78 different brands shows the scale and level of sophistication that these campaigns have," wrote report author Or Katz, principal lead security researcher at Akamai. "The wide usage of same toolkit, abusing 78 different brands by the same threat actors in many cases, implies coordination at scale, which isn't something you see on a one-off campaign. Those responsible for these attacks are trying to impact as many as victims as possible with minimal effort."

Akamai studied the evolution of this scam by observing 689 "Three Questions" phishing campaigns targeting four industries: airline travel (32.34 percent of malicious domains, targeting 23 companies), retail (32.69 percent of domains, targeting 21 companies), food (27.94 percent of domains, targeting 21 companies) and entertainment (7.03 percent of domains, targeting 13 companies). Examples included Kroger, Dunkin' Donuts, United Airlines, JetBlue, Target, Outback Steakhouse and Disneyland.

Although the fake quizzes are customized according to brand, they all have certain commonalities, starting with the use of free questions pertaining to the brand itself. They also tend to use language that incites the user to act quickly – for instance, suggesting that the offer will expire soon. And they employ phony social media profiles that appear to lend credence to the scam. "These fake users appear on the phishing website as an integrated plugin for social networks, but what the user is actually seeing is embedded JavaScript code on the phishing site," wrote Katz. "These fake users are presented as a reference and supporting evidence of 'others' who have also won prizes after taking the quiz."

After participating in the quiz, the victims are told they will win a prize associated with the brand in question (e.g. airline tickets), given that they provide some information about themselves. Victims are also required to share a link to the scammer's domain using various social networking platforms, thus helping the scam spread across the internet.

"The social aspect to the quiz-phishing is a clever trick by the scammers, as such functions can be used to avoid some security controls, and it limits mitigation capabilities, since social networks applications are mostly used on mobile devices."

Akamai researchers also noted that the quiz has evolved over time to include automatic translation capabilities and new profiles for the fake social network system.

"We predict there will be more phishing campaigns using the same infrastructure and toolkits to deliver a highly scaled, customized set of campaigns using commercialized techniques to increase their impact," Katz wrote. "Similar to the advertising industry, where ad campaigns are targeting specific audience, phishing scams will try to target segments of population with the most relevant scam distributed over social networks."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.