Over the past year, Akamai Enterprise Threat Research team monitored the usage of one particular phishing toolkit in the wild. We previously wrote about this phishing toolkit as "Three Questions Quiz". The "Quiz" toolkit is not new to the threat landscape, as its been used in many phishing campaigns in recent years.
Our goal here is to present new insights on the evolution and scale of usage of the toolkit in the wild. The most surprising insight was the variety of commercial brands being abused as part of these phishing scams that were all using the same toolkit, but wearing a different face.
For our research, we monitored 689 customised phishing campaigns, that abused 78 commercial brands around the globe, including those in the retail, food and beverage, airline, and entertainment sectors. Each phishing campaign starts with a short quiz that asks the user three questions related to the imitated brand. This is why we call the phishing scam the "Three Questions Quiz".
Regardless of the answer selected, the victim always "wins" a prize associated with the abused brand. For example, if the target organization is an airline company, the prize would be a free airline ticket.
The victim, or "winner" is forwarded to a website requesting their private information. The primary goal of these phishing campaigns is to obtain the victim's email addresses, home address, and age. Each phishing campaign can be customized to the criminal's goals.
The toolkit uses a variety of social engineering techniques:
Customized "brand" website: The quiz scams abuse the reputation of targeted brands. Because most brands are trusted, victim's feel comfortable answering basic questions. While there is a commonality between sites,because of the toolkit, each site was customized to contain quiz questions relevant to the targeted brand.
Call to Action: A common way to get victims information during one of these phishing attacks, is to enforce a sense of urgency. The quiz scam websites will include messages like, "We only have 332 tickets remaining, so hurry up." This creates a sense of urgency around claiming the prize, which them to just supply the requested personal details.
"You've Won!": The final nail in the coffin for the victim arrives when they win a prize. At this point, all doubts - if any still existed - dissipate, due to the excitement of winning. Now comes the entire point of the scam -the ask. Victim's are directed to answer a few basic questions (some requiring sensitive information) in order to claim their prize, and most are more than willing to comply.
As a result of using the same toolkit, these quiz-based phishing campaigns share identical functionality and features. According to our analysis, while numerous threat actors launched quiz-based phishing campaigns, many of those websites were activated on a schedule by the same threat actor, indicating threat activity that is both organized and well planned.
Figure 1: 20 different brands, three questions quiz, one toolkit
The campaigns abuse the reputation of a variety of brands. Some are local, and others are international. Although the campaigns looks similar, each was customized and contains different quiz questions in different languages. Many of the abused brands are airlines. However, the scammers are perfectly comfortable targeting brands that exist in the retail, entertainment, and food and beverage sectors too. We've seen campaigns targeting coffee houses, amusement parks, restaurants, clothing retailers, and home decoration retailers.
In the past year, Akamai has collected evidence on 689 domains abusing 78 brands. The ability to abuse 78 different brands shows the scale and level of sophistication that these campaigns have.
When we examined the abused brands by industry, we saw that the majority of phishing domains are targeting airlines, retailers, and food and beverage (Figure 2).
By analyzing the actual domains used in these phishing attacks, we saw that 82% of the attacks include the name of the brand being abused or variation of such, which is a technique called "typosquatting".
Figure 2: Percentage of domains per industry
There were 23 airlines being abused during the quiz-based phishing campaign (figure 3), but the surprising victim across all of the abused brands were amusement parks. Consumers trust amusement parks just as much as other entertainment brand.
Figure 3: Number of brands being abused per industry
Another common feature in all of the quiz-phishing websites includes a step when after "winning" their prize, the victim is required to share a link to the scammer's domain across a number of social networks. The integration of social networks into these phishing scams amplifies the attack, since many of the victims willingly share the quizzes with their friends.
The social aspect to the quiz-phishing is a clever trick by the scammers, as such functions can be used to avoid some security controls, and it limits mitigation capabilities, since social networks applications are mostly used on mobile devices.
Over the year that the "Three Questions Quiz" scams were being monitored, Akamai was able to see new campaigns that included enhancements to the base toolkit, including automatic translation, removing any language barriers that might exist. In addition, the enhancements also included new profiles for the fake social network system, and we attribute this change to the need to make scam more dynamic and relaible.
The overall objective of the campaigns we observed was to harvest email addresses and other personal details. In the majority of cases, this data is destined to be used in subsequent spam campaigns or sold to other malicious actors. In no version of the campaigns do the victims targets actually win a prize or otherwise benefit from these scams.
Phishing campaigns that target non-sensitive personal information tend to pose limited risks to users. But despite the lesser risk, these campaigns should not be overlooked or dismissed. Malicious actors that steal personal information, including email addresses, can use that information to execute email spam campaigns with the intention of infecting users with ransomware or other types of malware.
Our research leads us to believe that this might be at the beginning of new evolution in phishing landscape.
The wide usage of same toolkit, abusing 78 different brands by the same threat actors in many cases, implies coordination at scale, which isn't something you see on a one-off campaign. Those responsible for these attacks are trying to impact as many as victims as possible with minimal effort. The usage of local brands, combined with customized linguistic options also represents step up in the threat actor's game.
Moreover, in phishing campaign analysis we conducted earlier this year, we spotted a phishing campaign targeting victims during the holiday season. This campaign used 30 different domains registered months in advance, that were then later activated on a schedule and distributed via a targeted advertising campaign. This served as additional evidence to the way threat actors are well organized and objective oriented when it comes to getting the most impact for their efforts.
The usage of new distribution channels, such as social networks, is a disturbing trend. Social applications are usually used on mobile devices, which are often the weakest link in an enterprise's security posture. The usage of social networks shows how threat actors are adopting new distribution techniques that are more relevant to modern culture.
We predict there will be more phishing campaigns using the same infrastructure and toolkits to deliver a highly scaled, customized set of campaigns using commercialized techniques to increase their impact. Similar to the advertising industry, where ad campaigns are targeting specific audience, phishing scams will try to target segments of population with the most relevant scam distributed over social networks.
The industry as a whole needs to continue to raise the awareness and build the tools that will enable us to fight back against these lurking threats. We need to ensure our peers, colleagues, friends, and families understand the risks and to avoid sharing their sensitive information. After all, any offer that sounds too good to be true, probably is.