Question Quiz - The Forgotten Scam

Akamai

Author: Or Katz, Principal Lead Security Researcher

Last year, Akamai's threat research team published information regarding a widely-used phishing toolkit we referred to as the "Three Question Quiz".  We've reviewed the evolution of the toolkit, the associated campaigns, and the potential damage caused by those campaigns over the past year by tracking 1,161 websites hosting phishing toolkits from July 2019 to May 2020 which targeted 130 brands and had more than 5 million victims.

Scam Evolution: Variants, Mobile, and IDN

We were able to see several variants of the scam during our research. Changes made over the past year include:

  • The design and interface of the kit and the source code were significantly updated, but the functionality of the website wasn't altered,
  • New victim filtering mechanisms, such as campaigns that only target mobile devices,
  • The use of International Domain Names (IDN) for phishing (i.e., a homograph attack). IDN enables people to use unicode domain names in local languages and scripts. Victims are deceived when IDN presents a seemingly harmless domain name in ASCII characters.
Figure 1: Question quiz variations
Figure 2: HTML code of mobile devices filtering

Campaigns in the Wild

Over the last year, Akamai has seen campaigns targeting specific geographic regions and campaigns using language and brands that are specific to the victim's location. Victims are typically targeted when they are vulnerable and/or searching for a particular theme. Examples include:

  • A campaign targeting vacation hotspots just before the summer
  • A strong spike in the days prior to Thanksgiving 2019, when victims were likely looking for attractive deals on goods
  • A mid-March to end of April spike, which we believe to be related to COVID-19, as criminals attempted to abuse the uncertainty and fear surrounding the pandemic. An example is a campaign where nearly 1 million victims in Brazil landed on question quiz websites promoting government payments.
Figure 3: Number of victims per day from sampled data

Byproduct of Phishing Campaigns

Akamai saw that many of the websites participating in the question quiz campaigns were massively distributed and had a high engagement rate. As a result, the websites became popular and highly-ranked by web analytics platforms.

We believe that combination of blackhat SEO techniques, the steady stream of victims sharing links to the scam pages, and the traffic volume led to these domains becoming highly ranked in casual searches.

We also checked classification scores of the websites with public threat intelligence resources. The result was that 80% of the scam websites were not classified as malicious, and have — in a way — been forgotten.

Figure 4: Web analytics of a question quiz domain from SimilarWeb

Summary

Phishing has evolved from being focused solely on credential abuse and drive-by downloads to a more lucrative kind of attack where the stolen good can be personal information. Moreover, the Internet offers the ability to generate revenue via advertisements and the associated traffic to the scam websites. As this research shows, phishing's potential impact also includes damage to the brand being abused, a type of damage that is not always tangible, so it is sometimes overlooked.

Sustaining Partners