‘Three Questions Quiz’ scam leverages 78 unique brands to steal personal data from users

• A total of 689 ‘Three Questions’ phishing campaigns were observed targeting four industries that include airline, retail, food and entertainment.
• The scammers use fake social media profiles as a mean to connect as many users as possible and convince them into revealing their data.

A new phishing scam dubbed ‘Three Questions Quiz’ has been found impersonating 78 different known brands to target the online users. The scam is used to trick users into giving away their personal information by answering three questions related to the brand.

About the scam

A blog post from Akamai Technologies highlights that the quizzes are customized according to the brand, although they all have certain commonalities.

“Each phishing campaign starts with a short quiz that asks the user three questions related to the imitated brand. This is why we call the phishing scam the "Three Questions Quiz",” said Or Kartz, principal lead security researcher at Akamai.

A total of 689 ‘Three Questions’ phishing campaigns were observed targeting four industries that include airline, retail, food and entertainment. Examples of some prominent brands include Kroger, Dunkin’ Donuts, United Airlines, JetBlue, Target, Outback Steakhouse and Disneyland.

“The quiz scams abuse the reputation of targeted brands. Because most brands are trusted, victim's feel comfortable answering basic questions. While there is a commonality between sites, because of the toolkit, each site was customized to contain quiz questions relevant to the targeted brand,” wrote Kartz.

Modus Operandi

The scammers use fake social media profiles as a means to connect with as many users as possible and convince them into handing over their information. The fake profiles are presented as winners who have already won a prize by answering ‘Three Questions Quiz’.

“These fake users appear on the phishing website as an integrated plugin for social networks, but what the user is actually seeing is embedded JavaScript code on the phishing site. These fake users are presented as a reference and supporting evidence of ‘others’ who have also won prizes after taking the quiz.”

Once the user is convinced and participates the quiz, the scammers get hold of his personal data and use it for various other activities. Apart from answering the quiz, the victims are also required to share the link on social networking platforms, thus helping the scam spread across the internet.

Kartz notes that scammers will continue to use such tactics to conduct the scam on a massive scale.

“We predict there will be more phishing campaigns using the same infrastructure and toolkits to deliver a highly scaled, customized set of campaigns using commercialized techniques to increase their impact. Similar to the advertising industry, where ad campaigns are targeting a specific audience, phishing scams will try to target segments of the population with the most relevant scam distributed over social networks,” Kartz wrote.