{"id":14129,"date":"2018-12-20T15:30:58","date_gmt":"2018-12-20T23:30:58","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/12\/20\/news-7896\/"},"modified":"2018-12-20T15:30:58","modified_gmt":"2018-12-20T23:30:58","slug":"news-7896","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/12\/20\/news-7896\/","title":{"rendered":"This online quiz is now confirmed to be a phishing scam"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 20 Dec 2018 18:30:00 +0000<\/strong><\/p>\n

Ah, online quizzes. Many of us know that they can be somewhat dodgy and nonsense, really\u2014but that doesn\u2019t stop us from clicking the \u201cStart quiz\u201d button anyway. Besides, you have time to kill, and there are only three questions to answer, right?<\/p>\n

The right kind of wrong<\/h3>\n

Phishing attacks don\u2019t always start in your email inboxes anymore. Whether you\u2019re on a desktop, laptop, tablet, or smartphone<\/a>, there are several other vectors where users can encounter phishing attempts. And believe me, they don\u2019t have a flashing neon sign that could easily alert users that they are\u00a0after your personal information.<\/p>\n

Phishers have been one of the most resilient cybercriminals\u00a0out there to date. And Or Katz, principal lead security researcher for Akamai Technologies, has proven this point once again.<\/p>\n

In a recently published white paper entitled \u201cA New Era in Phishing\u2014Games, Social, and Prizes\u201d<\/a><\/em> [PDF], Katz has confirmed what many of us have already long suspected: those short quizzes shared on Facebook, Twitter, and other social media platforms are scams. And behind them are sophisticated and coordinated efforts that were designed for prolonged user exposure to fraud campaigns.<\/p>\n

Katz and his team have studied 689 customized phishing campaigns that banked on 78 popular names of brands across industries. These brands include United Airlines, Target, Disneyland, and Dunkin\u2019 Donuts. All quiz-based phishing pages follow a templated format: They ask three questions and, once a user answers them\u2014note that they don\u2019t have to be correct\u2014they promise quiz takers a prize associated with the brand they\u2019re impersonating. For example, if the quiz is about Disneyland, quiz takers could potentially \u201cwin\u201d free passes.<\/p>\n

Quiz takers are then directed to a web page that asks for personal information\u2014so they can claim the prize, of course\u2014like their email address, physical address, and age.<\/p>\n

The toolkit behind these \u201cpositive\u201d phishing campaigns<\/h3>\n

Phishing kits<\/a> are a staple to a serious phisher\u2019s fraud arsenal. These nifty and reusable tools are popular in the underground market because they do most of the work with little effort from the scammers. It also makes phishing campaign creation a lot faster.<\/p>\n

According to this accompanying blog post<\/a> to the Akamai paper, the quiz-driven phish kits they studied use the following social engineering tactics to gain user trust:<\/p>\n