Netcraft has seen a big increase in survey scams impersonating banks known as seduction. These are often run under the guise of a prize on the occasion of the bank’s anniversary, although in some cases a prize is only guaranteed for participation.
These scams first came to Netcraft’s attention about 16 months ago, when businesses that were particularly useful during the lockdown such as supermarkets, mobile phone networks and shipping companies were targeted. The expansion of these attacks to use banks as deception began in October 2021. So far we have seen over 75 different banks used as deceptions for these survey scams, with a global deployment that includes banks from the US, UK, Asia and the Middle East.
Survey scams mislead victims into thinking they are being marketed by a well-known company or brand and will receive a high-value award or reward by answering a few simple questions. These sites are usually portrayed as a market research for the company or as a quiz contest, for example “to win all you have to do is answer these questions”.
After answering these questions, the victim is told that he has won, and is then directed to another scam or to a partner link of a third party under the guise of realizing his prize. For example, they may be asked to pay a small shipping and handling fee to claim their prize, but instead they sign up unknowingly for an unwanted subscription service with recurring payments. Alternatively, the user may be tricked into providing personal information or installing malware.
Survey fraud survey on the subject of the bank
Each survey scam is the subject to resemble a mobile site run by the appropriate bank. This is done through the use of the bank’s logo, colors and a navigation title similar to the one used by the real bank’s mobile site. To add to the perceived legitimacy of these scams, each page also includes an image chosen to appear related to the bank’s anniversary celebrations or cash gift – for example, scams targeting the Islamic Bank of Qatar use an image of Officials present at the official opening Of a new branch of the bank.
Aside from these differences in the design of each page for a particular bank, the template used for these survey scams is the same otherwise. The page informs the victim that in order to celebrate the anniversary of the bank, they have a chance to win a cash prize simply by answering the questionnaire. The amount of cash varies depending on the victim’s location, for example £ 1,000 in the UK, € 2,000 in the Netherlands or € 4,000 in Singapore.
Below the questionnaire, each page presents the use of allegedly false testimonies from previous winners. The names and text used for these fake testimonials are the same, though profile pictures may vary.
The questionnaire is a short 4-question survey, with basic choices and choices like “Do you know the ‘name of the bank’?” And “Are you male or female?”. Examining the source code shows that the answers to the questions are not recorded.
After answering the 4 questions, a short animation is played in which the page claims to verify the victim’s answers and checks if gifts are available. As with the survey questions, no actual test occurs and each line of coded text appears after a certain period of time.
After the test, the user is directed to play a fake game to see if he wins the prize. After selecting the “correct” box (which always occurs on the second attempt), the victim is told that they have won the cash prize and that they must perform a number of additional steps to claim it.
First, they need to share the page with their friends to continue. Clicking the “Share” button will try to share the link via Facebook or WhatsApp Messenger, depending on the operating system and browser used by the victim. Regardless of whether the link sharing was successful, the blue progress bar fills up after each click on the “Share” button.
Once the blue progress bar is full, the victim is told to “register the app below” and leave it open for at least 30 seconds to complete the registration.
The “Complete Registration” button directs the victim through a partner link to one of several external pages in other domains, where he will be asked to complete another action such as downloading an app or entering his details. This is how profits are made from these scams: the purpose of the scam is to trick the victim into completing the desired action on the external sites, under the guise of the last step required for claiming his prize. The scammer who runs this scam gets paid for each user who performs the desired action.
Scam Website Destinations
Despite the initial temptation of cash as a reward for these bank-related survey scams, the target affiliate links are not often related – randomly selected; Or based on the geographical location of the victim and the value of the payment available to the criminal from each destination at the time of the visit. The victim can be referred to any of the following options:
- Affiliate link that instructs the user to download an app or install some software. These pages may further mislead the victim by requiring their phone to be updated or having a virus, in order to increase the chances of the victim continuing to download / install. In some cases, the application that the user is directed to download has been loaded by third parties as containing advertising software, meaning that the application has injected unwanted ads into the user’s device.
-
Legitimate link to an e-commerce site or app store, via an affiliate kit URL. for example,
hxxps://it.gearbest.com/promotion-bestseller-special-1308.html?lkid=[affiliate code]
-
A page that ostensibly offers the user a high-value reward like a low-priced iPhone. In reality, the victim pays and / or submits his details in order to enter a monthly competition for the prize. These usually also sign the victim to an unwanted subscription service with recurring payments. This information is usually hidden in lowercase or on a separate Terms and Conditions page.
- A page asking the victim to enter his phone number to continue. These register the user for unwanted SMS subscribers who charge the victim every month.
- A page that asks for contact details from the victim, usually in exchange for a chance to win a prize or voucher. By sending their details, the victims agree that their contact information will be passed on or sold to marketing companies who can then send mail, text and / or call the victim with suggestions.
- Other scam sites such as cryptocurrencies investment scams, package scams, fake order scams or other survey scams. These may ask the victim for credit card information, or refer them to other contact points in order to continue the scam.
Volume of attacks and facilitations
Netcraft is actively monitoring and researching the scope of this ongoing campaign. During November 2021, Netcraft identified over 1.3 million survey scams in nearly 39,000 separate domains as part of this campaign. More than 200 different organizations served as baits, most of them banks and retailers.
These scams are in the domains registered on purpose TLDs commonly used for cybercrime, same as .cyou
and .cn
. Most of these domains are registered by the same set of email addresses, indicating that only a small number of threat factors are responsible for an attack on this large scale.
Netcraft browser extension and Android mobile app Protects against these poll scams, as well as phishing scams, counterfeit stores and other types of cybercrime.
To date, Netcraft has successfully removed more than 130,000 survey fraud sites claiming to be marketing campaigns for our existing customers. Affected organizations are welcome Contact Netcraft Discuss countermeasures against these sites.