November 12, 2017

A New Way to Phish: Survey Spam


Beware of Phishing Attacks via Surveys



Scammers Can Use Surveys to Steal Your Personal Information;
That Survey Invitation May be a Phishing Attack in Disguise



The Scammers just keep getting more creative, finding new, seemingly legitimate ways to steal and misuse your personal information.  Survey spam is one of the latest methods Spear Phishers are using to trap their victims.

Spear Phishing refers to a targeted e-mail attack.  Spear phishers send you personalized spam e-mail that usually appears to be from a trusted contact.  That e-mail is intended to trick you into taking an action that will open you to harm. A Spear Phishing attack may try to plant malware, steal your information, and/or trick you into revealing log-ins and passwords.  A Spear Phisher's intentions are never good.

As cyberspace wisens up, the Phishers find new ways to steal your information. One of these ways is through survey spam.

Folks love to participate in surveys.  Often, surveys contain a sweepstakes component to help entice users to take it. "Five survey  participants will be randomly chosen to receive a $50 Amazon Gift Certificate" is a common come-on.  Many companies use legitimate surveys for market research and quality assurances.

SurveyMonkey is one of the largest and oldest survey hosts around.  I can remember being in an Internet Community with the original developer, who is an excellent Netizen.  One of the things he wanted to do when he created SurveyMonkey was to create a resource the whole Internet could use.  Because of that, SurveyMonkey still has a free option.  Anyone can create a SurveyMonkey account. A free user can create a survey for up to 100 respondents.  You may also access "SurveyMonkey's Global Consumer Panel," which means you can target current SurveyMonkey users rather than your own e-mail list.

Most SurveyMonkey surveys are legitimate.  And SurveyMonkey has taken a lot of steps to let customers personalize survey invitations so they can separate the good from the bad.  However, as with any good Internet tool, the Bad Guys have found ways to exploit it.

Take the e-mail in the picture, for example.  This is a legitimate survey invitation from a SurveyMonkey customer.  I can be sure that clicking through the link will take me to a legitimate SurveyMonkey survey, which means I'm safe from malware.  What harm can there be from clicking through and taking the survey?

Remember, Spear Phishers are not always trying to plant malware. Often, they are phishing for personal information. They may be trying to fill in additional details to go with information they have already purchased or stolen. They may already have an old username and password combo, and are phishing for answers to security questions so they can steal your account. They may only have partial personal data, and are trying to get enough of the rest so that they may steal your identity.  That "harmless survey" may be designed to get this information.

Techlaurels shared a post from Laurel's personal timeline  on our Facebook page:



This post was made in response to a friends posting one of those "Let's get to know each other better" types of posts, which involved sharing your grandparents' full names, your parents' full names, and your own "birth name."  Laurel asked her friend to delete the post, pointing out she had just given Phishers the information they needed to social engineer their way into an account.  She then created her own "Get to know each other better" type post to point out how the information could be misused.    Survey Spam often has a similar goal.

Let's examine the SurveyMonkey Survey Invitation pictured at the beginning of the article:



(You may click on the picture to view a larger copy of the e-mail.)

SurveyMonkey invitations come from [username] via SurveyMonkey.com, and from one of several SurveyMonkey registered domains.  Member@surveymonkeyuser.com is one of these domains.  Viewing the e-mail headers verifies this e-mail was generated by the SurveyMonkey system. So it should be safe...right?

Again, I will not get malware if I click through, but that does NOT mean I am safe taking this survey.

Look at the subject line: "We want your opinion - Pay Marketing Research Study New Position" in bold text. Does this look like a legitimate survey request?  No, it looks more like one of those "Make a Mint by Working at Home" type scams.  Next look at the SurveyMonkey user name: richardcoppola9@mail.com.  Mail.com is one of those free e-mail services, one of the many loved by spammers because they do not require verifiable personal information to set up an account.  In addition, I do not know anyone named Richard Coppola, and if this were a survey sponsored by a company for legitimate purposes, you'd most likely see that company's name as the sender.  Instead of a username, I see a spammy-looking e-mail address, another sign that this may not be a survey I want to take.

Looking at the body of the e-mail itself does not inspire confidence.  Most surveys tell you their purpose. They tell you who is collecting the information and how it will be used.  This e-mail says "We're conducting a survey and your input would be appreciated. Click the button below to start the survey. Thank you for your participation!" That is the default text in the SurveyMonkey invitation template. That tells me this guy was too lazy to even customize his invitation.

I took a few minutes to create my own SurveyMonkey survey. You can take this survey at https://www.surveymonkey.com/r/FV2MQ8T.  (This link will open in a new window.) It is also embedded below. You may safely click through the link, but I do NOT suggest you actually complete the survey.  You will see, it may appear to be harmless. After all, it asks innocent questions, like name, address, and first pet.  It's hosted by a legitimate service who will not misuse the information. What is the risk?


Create your own user feedback survey

Update: See Bottom of this post.


Have I told you HOW I am going to use the information? Why do I NEED to know about your first car or your first pet?  The answer to that is simple: how am I going to answer your security questions without that information?  Notice I do not ask for your e-mail address in the survey. If you received the survey invite by e-mail, it just means I already have that piece. I am just trying to round out the information I have so I can complete my dossier.

I used a Facebook Account to set up my SurveyMonkey account.  We ALL know how difficult it is to set up a fake Facebook account.  Setting up a fake Facebook is probably about as difficult as finding a grain of sand on the beach.  So I can set up a fake (or cloned) Facebook account, use it to register for SurveyMonkey, Spear Phish suckers in groups of 100, and disappear into the Dark Web before anyone has a chance to track me down.

Survey Spam has one intention, and that is to steal your personal information.  Does that mean you need to avoid taking surveys all together? Of course not! But it does mean you need to scrutinize Survey Invitations, as closely as you examine supposed Paypal Alerts and Amazon Order Confirmations for large purchases you haven't made.  Examine who the survey is from, as well as what information it collects and how it says that data will be used.  Do not blindly click through, just because you are enticed with a prize.

And in the interest of full disclosure, Techlaurels will delete ALL information obtained through our SurveyMonkey survey, without examining it.  Our survey was created merely to illustrate a point. If you actually completed all of the information, you need to go back and re-read our previous articles on Phishing, and you probably will want to follow this blog.  If you actually answered the last question, you probably need to avoid Internet Surveys and Quizzes all together.  There is no sweepstakes, and a question like that is obviously designed to steal valuable personal information.  With all of the survey questions filled in, I probably have enough to break into your bank account.

UPDATE: SurveyMonkey has suspended the survey, and good for them.  That means something triggered their examining it. Perhaps it was this blog, but more likely it was because it began collecting data, and their database flagged it as it was recorded. Which would mean someone submitted the survey.  That survey was still up for several hours, and any data it had collected could have been misused.

The survey consisted of 6 questions:


  1. Demographic Info (Name, address, etc.)
  2. Tell us about your first car.
  3. Tell us about your first pet.
  4. What is your favorite color?
  5. Where do you bank?
  6. If you want to participate in the sweepstakes for the $500 prize, we will need your social security number in order to pay you. Enter it in the box below.
(Yes, Number 6 is probably what got the survey suspended. Even with the first 5 answered, I'd probably have enough info to break into your bank account.)


Have you been a victim of Spear Phishing?  Did you actually complete our survey?  Do you have a personal Phishing Tale you'd like to share? Hit us up in the comments section, on Twitter, or on Facebook.  And remember, always protect your personal information; don't be a fool and blindly click through.


2 comments:

  1. Thanks for all this infos. This is very dangerous time on the internet. Personal information is product but - cheap product. In most cases most of internet users simply share infos, without knowing what thay doing.

    ReplyDelete
    Replies
    1. Exactly! And then, when they are compromised, they wonder how it happened. We all need to be more careful.

      Delete

Thank you for contributing to the discussion! Your feedback is valued! (Unless you are a sunglasses or work at home spammer, in which case, your comment will be promptly deleted. :D) The Mods are reviewing it, to keep those types away! ;)