Rampant phishing in online quizzes using new toolkit — study

The threat of online quizzes may not have reached as many people as many security firms are hoping for judging by the number of Facebook users sharing their results on social media.

Content delivery network and cloud service provider In Akamai Technologies’ paper titled “A New Era in Phishing—Games, Social, and Prizes,” which outlines new customized phishing campaigns that abused 78 commercial brands and lured unsuspecting users into providing information voluntarily,

In a blog post, the company said the Akamai Enterprise Threat Research team monitored a toolkit called “Three Questions Quiz” that has been in use in many phishing campaigns. It is named as such because a short quiz asks a user to answer three brand-related questions before proceeding to solicit personal information so the victims could claim “a prize.”

It is an open secret in the security industry that online quizzes collect user information, the study chose to highlight what it calls as “most surprising insight” where brands are “being abused as part of these phishing scams.” Airline companies are the most often-used and exploited in these online quiz phishing campaigns.

Exploiting global brands

The research done with 689 customized phishing campaigns yielded 78 global brands across the airline, entertainment, food, and retail industries used to entice victims to participate and win a prize.

After the quiz, the victim is directed to a website and that is where the phishing commences. For the victims to know if they won or not, they need to provide details such as age, email and home addresses. The research also found out that “each phishing campaign can be customized to the criminal’s goals.”

Akamai made a list of toolkit uses for social engineering purposes utilizing online quizzes, which include customized “brand” website, call to action, fake social network endorsements, and claims of winning a prize.

The research also showed that by using the same toolkit, “these quiz-based phishing campaigns share identical functionality and features.” The victims in this scheme are not only the end users but also global brands that are being used to lure victims into the quizzes.

Akamai said it saw that 82 percent of the attacks include the name of the brand being abused or variation of such, which is a technique called “typosquatting.”


As seen in most online quizzes, the victims are instructed to “Share” the website so they can either see the results or claim the prize. This strategy, which exploits the human weakness of oversharing, further “amplifies” the attack, according to Akamai’s analysis.

“The social aspect to the quiz-phishing is a clever trick by the scammers, as such functions can be used to avoid some security controls, and it limits mitigation capabilities since social networks applications are mostly used on mobile devices,” the research showed.

Akamai stated what has been obvious, at least to the informed, that these phishing campaigns only want to harvest email addresses and other personal details. “In the majority of cases, this data is destined to be used in subsequent spam campaigns or sold to other malicious actors. In no version of the campaigns do the victims targets actually win a prize or otherwise benefit from these scams.”

The company also warned of the quizzes that may pose “less risk,” which means there is still a risk involved and should not be dismissed.

Evolution of phishing

Akamai researchers conclude that “this might be at the beginning of new evolution in phishing landscape… Those responsible for these attacks are trying to impact as many as victims as possible with minimal effort. The usage of local brands, combined with customized linguistic options also represents step up in the threat actor’s game.”

The researchers find it a disturbing trend that criminals are using various distribution channels such as social networks to expand its reach. “Social applications are usually used on mobile devices, which are often the weakest link in an enterprise’s security posture. The usage of social networks shows how threat actors are adopting new distribution techniques that are more relevant to modern culture,” the research said.

In conclusion, Akamai researchers expect more phishing campaigns will use the same infrastructure and toolkits “to deliver a highly scaled, customized set of campaigns using commercialized techniques to increase their impact.”

Image by Jose Cabello/Pixabay

Categories: Uncategorized

Tagged as: , , , ,