More bad men than Mad Men

Cybercriminals are using new targeted tools and techniques to revive an online scam that had, until recently, fallen out of fashion.

The wide-ranging campaign, targeting users in 90 countries around the world, uses fake surveys and giveaways purporting to be from popular brands to steal users’ personal and payment data.

These so-called survey scams go back years, but the latest run of fraudulent messages use targeted links featuring content tailored to each potential victim – a trick that makes investigating the fraud more difficult than normal.


YOU MAY LIKE US identity thieves jailed over $130,000 scam that targeted the elderly


In addition, the sheer scope of the scam is causing headaches for investigators according to threat intel firm Group-IB.

There has been a sharp increase in the number of brands impersonated and domains involved since we started to observe the scams involving the use of the targeted links technology.

Whereas in the past [when] the scam actors used dozens of well-known brands in their schemes, there are now more than 120 brands impersonated by scammers operating targeted links and at least 60 different domain networks as part of the ongoing scam campaign observed by the Group-IB DRP (Digital Risk Protection) unit.

Millions of people have been targeted with fake survey invitations that lure victims through a labyrinth solely designed to trick them into handing over sensitive personal information such as bank card details, according to Group-IB.

“The potential victim pool of 60 domain name networks detected by the Group-IB DRP is estimated at 27.7 million people,” a Group-IB spokesperson told The Daily Swig.

Tailor made

The type of scam is not new but whilst in the past fraudsters indiscriminately targeted users, the latest version of the scheme uses techniques stolen from legitimate advertising campaigns to deliver tailored content.

Firstly, fraudsters attempt to ensnare their victims by distributing invitations to partake in surveys to win a non-existent prize.

Each such offer contains a link leading to the survey website. For this, the threat actors use all possible legitimate digital marketing means: contextual advertising, advertising on legal and completely rogue sites, SMS, mailouts, and pop-up notifications.

To attract users into visiting the fraudulent websites, cybercriminals register look-alike domain names to the official ones.

Scammers also use information on potential marks including country, time zone, language, IP address etc, in order to tailor the links.


Read more of the latest news about computer enabled fraud


Group-IB told The Daily Swig: “The final scam link is customized to a specific user and can be opened only once. This complicates the detection of such links, which inevitably leads to the scam’s longer life cycle, and hampers the takedown and investigations.”

The data requested from unwitting marks usually includes the full name, email, postal address, phone number, bank card data, including expiration date and CVV. Users are sometimes also asked to pay a tax or a test payment to receive the prize.

Fraudsters use the compromised payments card data to buy goods online, register fake user accounts, or simply sell the personal information on the dark web.

The fraud has been spotted in 91 countries, with cybercriminals exploiting at least 121 brands as bait, many of them either telecom service providers or retailers.


RECOMMENDED How expired web domains help criminal hackers unlock enterprise defenses