

























Lead Analysts: Jeewan Singh Jalal, Dilsha Dines, Karthikeyan Dharmaraj
The classic 'survey reward' scam is back and hitting harder than ever. KnowBe4 Threat Labs is tracking a massive, high-volume campaign that is not only impersonating a wide array of trusted global brands across retail, logistics, and healthcare, but is using hundreds of newly registered domains (NRDs) and sophisticated psychological priming to fly past traditional security defenses. The result: attackers are harvesting high-value Personally Identifiable Information (PII) and financial data from unsuspecting users on an unprecedented scale.
The campaign utilizes a "spray and pray" approach, rotating through pixel-perfect templates of various household names. This diversification ensures that regardless of a victim’s shopping habits or service providers, they are likely to see a brand they trust.
Image Phishing Lure: Sample email templates demonstrating the campaign's use of multi-sector brand impersonation to gain user trust.
The initial attack vector utilizes an email or SMS message lure promising a high-value incentive, such as premium electronics (e.g., iPhone, Apple Watch, Airpods, and Beats by Dre headphones), contingent upon the victim completing a short customer satisfaction survey. This tactic employs psychological priming and scarcity by often incorporating live countdown timers or claims of limited stock to induce immediate action.
This campaign represents a sophisticated evolution beyond simple credential harvesting. Rather than immediately demanding a password, attackers use a multi-stage funnel designed to incrementally build trust through micro-commitments, exploiting the victim's sense of justification and reward.
Examples of landing pages created to trap the users with free gift scams.
The attack initiates with The Survey (Pretexting). The victim is presented with 10–15 brief, legitimate-looking questions regarding their experience with the targeted brand. This step is a form of labor that creates a psychological investment, convincing the victim that they have earned the high-value prize through their effort.
The funnel reinforces this belief with Social Proof. The reward landing page features simulated social media comment sections, displaying purported winners who claim to have already received their prizes. This manufactured credibility leverages human bias to overcome lingering suspicion.
The final stage is The Final Payment Lure. The victim is requested to pay a small delivery fee, typically $5.00–$10.00. This seemingly negligible cost legitimizes the high-value item, coercing the user into willingly entering their credit card and Personally Identifiable Information (PII) on the payment page.
The moment the user submits their payment details, the data is instantly exfiltrated to the attacker's command and control (C2C) infrastructure.
Example of the data exfiltration process, highlighting the immediate transfer of captured credit card details and PII to the attacker’s control C2C.
The campaign's success relies on a "churn and burn" domain strategy. Our analysis shows that attackers are registering hundreds of new domains daily to stay ahead of blocklists.
| Technical Indicator | Observed Behavior | Confidence |
|---|---|---|
| Rapid Domain Churn |
Use of hundreds of NRDs (Newly Registered Domains) with a lifespan of <48 hours |
HIGH |
| TLD Concentration |
High usage of low-cost TLDs |
HIGH |
| High-Fidelity CSS |
Use of “pixel-perfect” clones of official brand landing pages to evade visual scrutiny |
HIGH |
| Social Engineering |
Use of scarcity (countdown timers) and social proof (fake comments) |
HIGH |
This campaign highlights the evolving nature of social engineering, where attackers move beyond simple link-clicking to complex, multi-stage interactions. Securing the digital workforce requires moving from a reactive, 'training-first' approach to a Risk-First strategy. To defend against these threats, KnowBe4 recommends:
The threat landscape evolves rapidly. For the most current list of domains, hashes, and behavioral signatures related to this campaign, please refer to the latest intelligence update from KnowBe4 Threat Labs.
View the full IOC list on X: https://x.com/Kb4Threatlabs
For real-time updates and ongoing threat intelligence, follow the KnowBe4 Threat Lab analysts on X: @Kb4Threatlabs
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。