Netcraft has seen a large increase in survey scams impersonating well-known banks as a lure. These are often run under the guise of a prize in celebration of the bank’s anniversary, though in some cases a reward is promised just for participating.
These scams first came to Netcraft’s attention around 16 months ago, when businesses that were particularly useful during lockdown such as supermarkets, mobile phone networks, and delivery companies were targeted. The expansion of these attacks to use banks as a lure started in October 2021. To date we have seen over 75 distinct banks used as lures for these survey scams, with a global spread including banks from US, UK, Asia, and the Middle East.
Survey scams mislead victims into thinking they are being marketed to by a well-known company or brand and will receive a high-value reward or prize by answering a few simple questions. These sites usually pose as either market research for the company or as a quiz contest e.g. “To win all you need to do is answer these questions”.
After answering these questions, the victim is told they have won, and then redirected to another scam or a third-party affiliate link under the guise of redeeming their prize. For example, they may be asked to pay a small shipping and handling fee in order to claim their prize but are instead unknowingly signed up for an unwanted subscription service with recurring payments. Alternatively, the user may be tricked into giving away personal information or installing malicious software.
Dissecting the Bank-Themed Survey Scams
Each survey scam is themed to resemble a mobile website run by the respective bank. This is done through the use of the bank’s logo, colours, and a navigation header which resembles that used by the bank’s real mobile site. To add to the perceived legitimacy of these scams, each page also features an image selected to appear related to the bank’s anniversary celebrations or the cash giveaway – for example, the scams targeting Qatar Islamic Bank uses an image of officials attending the formal opening of a new branch of the bank.
Apart from these differences to theme each page to a certain bank, the template used for these survey scams is otherwise identical. The page informs the victim that to celebrate the bank’s anniversary, they have a chance to win a cash prize simply by answering the questionnaire. The amount of cash varies depending on the victim’s locale, for example £1000 in the UK, €2000 in the Netherlands, or S$4000 in Singapore.
Below the questionnaire, each page features the use of fake testimonials purportedly from previous winners. The names and text used for these fake testimonials are identical, though the profile images can vary.
The questionnaire is a short 4 question survey, with basic multiple-choice questions such as “Do you know ‘bank name’?” and “Are you male or female?”. Inspection of the source code shows that the answers to the questions are not recorded.
After the 4 questions are answered, a short animation is played in which the page claims to be verifying the victim’s answers and checking if gifts are available. As with the survey questions, no check actually occurs and each line of text is hard-coded to appear after a period of time.
After the check, the user is directed to play a rigged game to see if they win the prize. Upon selecting the “correct” box (which always occurs on the second attempt), the victim is told they have won the cash prize and that they must complete several more steps in order to claim it.
First, they must share the page with their friends in order to proceed. Clicking the “Share” button will attempt to share the link via either Facebook messenger or WhatsApp, depending on the OS and browser being used by the victim. Regardless of whether the link sharing is successful, a blue progress bar is filled up after each click of the “Share” button.
After the blue progress bar is full, the victim is told to “register the application below” and have it open for at least 30 seconds in order to complete the registration.
The “Complete Registration” button redirects the victim via an affiliate link to one of several external pages on other domains, where they will be prompted to complete another action such as downloading an app or entering their details. This is how these scams are monetised: the aim of the scam is to deceive the victim into completing the desired action on the external sites, under the guise of being the final step required to claim their prize. The fraudster running this scam is paid a fee for each user who carries out the desired action.
Scam Site Destinations
Despite the initial lure of cash as the prize for these bank-themed survey scams, the destination affiliate links are often unrelated — being randomly selected; or based on the victim’s geolocation and the pay-out value available to the criminal from each destination at the time of visit. The victim may be redirected to any of the following:
An affiliate link directing the user to download an app or to install some software. These pages may further deceive the victim by saying their phone requires an update or has a virus, to increase the odds of the victim proceeding with the download/install. In some cases, the app that the user is directed to download has been purported by third-parties to contain adware, i.e. the app injected unwanted ads onto the user’s device.
A legitimate ecommerce site or app store link, via an affiliate scheme URL. For example, hxxps://it.gearbest.com/promotion-bestseller-special-1308.html?lkid=[affiliate code]
A page which seemingly offers the user a high-value prize such as an iPhone for a low price. In reality, the victim is paying and/or providing their details in order to enter a monthly competition draw for the prize. These typically also sign the victim up for an unwanted subscription service with recurring payments. Details of these are typically hidden in small print or on a separate terms and conditions page.
A page which asks for the victim to enter their phone number to proceed. These sign the user up to unwanted SMS subscriptions which charge the victim monthly.
A page which asks for contact details from the victim, typically in return for a chance to win a prize or a voucher. By submitting their details, victims are agreeing for their contact information to be passed along or sold to marketing companies who can subsequently mail, text and/or call the victim with offers.
Other scam sites such as cryptocurrency investment scams, package scams, fake order scams, or other survey scams. These may solicit credit card details from the victim, or direct them to other points of contact in order to proceed with the scam.
Volume of Attacks and Mitigations
Netcraft is actively tracking and investigating the extent of this ongoing campaign. During November 2021, Netcraft identified over 1.3 million survey scams on nearly 39,000 distinct domains as part of this campaign. Over 200 different organisations have been used as lures, the majority of which are banks and retailers.
These scams are found on purpose-registered domains on TLDs commonly used for cybercrime, such as .cyou and .cn. The bulk of these domains have been registered by the same set of email addresses, indicating that only a small number of threat actors are responsible for this large-scale attack.
To date, Netcraft has successfully taken down over 130,000 survey scam sites purporting to be marketing campaigns for our existing customers. Affected organisations are invited to contact Netcraft to discuss countermeasures against these sites.