惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cloudbric
Cloudbric
有赞技术团队
有赞技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Threat Research - Cisco Blogs
L
LangChain Blog
Simon Willison's Weblog
Simon Willison's Weblog
Project Zero
Project Zero
Latest news
Latest news
S
Schneier on Security
Cisco Talos Blog
Cisco Talos Blog
MyScale Blog
MyScale Blog
C
Check Point Blog
IT之家
IT之家
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CERT Recently Published Vulnerability Notes
Scott Helme
Scott Helme
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
G
Google Developers Blog
T
Tor Project blog
T
Threatpost
D
DataBreaches.Net
博客园 - 【当耐特】
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Troy Hunt's Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
博客园_首页
S
Securelist
T
The Exploit Database - CXSecurity.com
Last Week in AI
Last Week in AI
量子位
U
Unit 42
Know Your Adversary
Know Your Adversary
Hugging Face - Blog
Hugging Face - Blog
S
Security Affairs
Google Online Security Blog
Google Online Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
S
SegmentFault 最新的问题
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志

Human Risk Management Blog

Trust, Verify, Protect: Modernizing Email Security for the Cloud Report: Social Engineering Remains a Central Part of AI-assisted Attacks ClickFix Social Engineering is Now the Leading Malware Delivery Method CyberheistNews Vol 16 #28 Your 2026 Phishing by Industry Benchmarks: The Findings on Human Risk Scammers Can Use AI Tools to Pinpoint Your Location Based on a Photo Report: Attackers Are Using AI to Automate Social Engineering Your KnowBe4 Fresh Compliance Plus Content Updates from June 2026 From Awareness to Digital Workforce Security Your KnowBe4 Fresh Content Updates from June 2026 Threat Actor Uses Phishing to Breach Orgs for Ransomware Gangs Invoice Phishing Attacks Are Abusing the Shop App Phishing Campaign Impersonates Interpol to Deliver Ransomware Prompt Injection and the Rise of Agentic Risk Hyper-Targeted Social Engineering Needs Real-Time Video Response Your Email is Protected. Is Your Teams Chat? CyberheistNews Vol 16 #27 [HOW TO] Your Cybersecurity Starts at Home on World Social Media Day 2026 Phishing by Industry Benchmarking Report: Findings on Human Risk Static DLP Is Leaving You in the Dark: Why It’s Time for Intelligent, Self-Serve Outbound DLP and Misdirected Content Analysis INC Ransomware Gang Targets the Legal Sector 5 Essential Cybersecurity Defenses for Cloud Email Security Cybercriminals Are Targeting the FIFA World Cup 2026 Why Bite-Sized Security Awareness Training Matters in an Age of TikTok and Digital Distraction Happy 3rd Birthday to Our KnowBe4 Community! Phishing Exposes Employee Data at 86% of Fortune 100 Companies Shadow AI Is Not Shadow IT With a Better Marketing Budget CyberheistNews Vol 16 #26 A New Extortion Scam Uses IT Impersonation to Breach Organizations Cybersecurity Starts At Home This World Social Media Day FTC Report: Americans Lost $3.5 Billion to Imposter Scams Last Year Report: Device Code Phishing is Surging Report: Online Shoppers Increasingly Ignore Scam Warning Signs Security Training Needs Google Maps, Not Christopher Columbus Turn Account Takeover Into Real-Time Security Coaching Extortion Gang Sends In-Person Attackers to Exfiltrate Data Attackers aren’t loyal to any collaboration channel CyberheistNews Vol 16 #25 [The AI Tell] How To Expose Machine-Written Phishing Fast Social Engineering Attacks Abuse Workplace Collaboration Tools New Extortion Brand Uses IT Impersonation to Breach Organizations APWG Report: Social Media Phishing is Surging Cybersecurity Awareness Training for AI: Key Focus Areas Americans Lost $900 Million to AI-Powered Scams Last Year What AI Can’t Hide When It Writes a Phishing Email Your AI Agents Are Eager to Please And Easy to Exploit From 1% to 26%: How AIDA Orchestration Fixes the Remedial Training Gap Best AI Agent Security Tools for SMB and Enterprise in 2026 4 Hot Summer Travel Tips To Avoid Scams CyberheistNews Vol 16 #24 [FBI Alert] Lock Down Your Microsoft 365 Device Code Flows Now The Role of Agentic AI in Phishing Security Training A Credit Score for Cyber Behavior Agentic AI Security in 2026: What to Know How to Secure AI Agents: 4 Best Practices An Overview of Email Compliance Regulations and Reporting Report: AI-Assisted Fraud is Surging Attackers Use Spoofed ChatGPT Site to Deliver Malware I Love Device-Bound Session Credentials, But They Are Still Phishable and Hackable Nearly Two-Thirds of CEOs Cite Cyberattacks as Their Top Concern A Look at Spam vs. Phishing: 4 Key Differences KnowBe4 Wins Multiple 2026 TrustRadius Top Rated Awards Cyber Insurance for Mid‑Market Organizations in Southeast Asia KnowBe4 Earns Multiple 2026 Buyer's Choice Awards from TrustRadius The New Frontier: Securing Japan’s Hybrid Digital Workforce (2026 & Beyond) CyberheistNews Vol 16 #23 Now Phishing Attacks Use Real Hotel Reservations to Target Travelers Report: AI-Enabled Social Engineering Attacks Are on the Rise Your KnowBe4 Fresh Compliance Plus Content Updates from May 2026 FBI: Kali365 Phishing Kit is Targeting Microsoft 365 Accounts KB4-CON - AI Is Everything How to Secure AI Adoption In Your Organization Your KnowBe4 Fresh Content Updates from May 2026 The Silent Invitation: A Deep Dive into Calendar Invite Phishing Cyber Insurance for Mid‑Market Organizations in Southeast Asia Chinese-Language Phishing Kits Are Growing More Advanced Phishing Attacks Are Using Real Hotel Reservation Info to Target Travelers Warning: Scammers are Exploiting Geopolitical Unrest Athletes Are Increasingly Targeted by Social Engineering Attacks AI Agent Governance Part 3 - Runtime Governance: The Hidden Performance Cost of Agentic AI AI Agent Governance Part 2 - What Good Looks Like: Governing AI Agents in Practice 8 Ways to Reduce False Positives in Email Security Ransomware Attacks Drive a Surge in Cyber Insurance Claims My Favorite 5 KnowBe4 Agents Perry Carpenter KB4-CON 2026 Q&A: Deepfakes & Deception When Global Conflict Becomes a Cyber Weapon: How Iran Tensions and Other Stressful Events Fuel Social Engineering Attacks CyberheistNews Vol 16 #21 [Heads Up] GitHub Breach Shows Developer Tools Are Social Engineering Targets Alert: Extortion Groups Are Using Phishing Kits to Automate Their Attacks Beyond the Chatbot: Why Your AI Agents are Your Newest (and Most Vulnerable) Colleagues Report: Adversarial Use of AI is Evolving
Free Gift Fallacy: How Attackers Harvest Credit Cards via Fake Surveys
KnowBe4 Threat Lab · 2026-05-28 · via Human Risk Management Blog

KnowBe4 Threat LabsLead Analysts: Jeewan Singh Jalal, Dilsha Dines, Karthikeyan Dharmaraj

The classic 'survey reward' scam is back and hitting harder than ever. KnowBe4 Threat Labs is tracking a massive, high-volume campaign that is not only impersonating a wide array of trusted global brands across retail, logistics, and healthcare, but is using hundreds of newly registered domains (NRDs) and sophisticated psychological priming to fly past traditional security defenses. The result: attackers are harvesting high-value Personally Identifiable Information (PII) and financial data from unsuspecting users on an unprecedented scale.

Campaign Summary

  • Vector and type: Email Phishing
  • Techniques: Brand Impersonation, Social Engineering, Credit Card Harvesting
  • Bypassed SEG detection: Yes (via rapid domain rotation)
  • Targets: Organizations and consumers globally

Multi-Sector Brand Impersonation

The campaign utilizes a "spray and pray" approach, rotating through pixel-perfect templates of various household names. This diversification ensures that regardless of a victim’s shopping habits or service providers, they are likely to see a brand they trust.

Top Impersonated Brands Observed:

  • Retail: Costco, Kroger, Harbor Freight, Tractor Supply Co., Sam’s Club, Dick’s Sporting Goods
  • Travel/Auto: Marriott, AAA (American Automobile Association)
  • Logistics: FedEx
  • Financial & Health: EquityFirst Financial, BlueCross BlueShield

Image Phishing Lure: Sample email templates demonstrating the campaign's use of multi-sector brand impersonation to gain user trust.

The initial attack vector utilizes an email or SMS message lure promising a high-value incentive, such as premium electronics (e.g., iPhone, Apple Watch, Airpods, and Beats by Dre headphones), contingent upon the victim completing a short customer satisfaction survey. This tactic employs psychological priming and scarcity by often incorporating live countdown timers or claims of limited stock to induce immediate action.

The Attack Flow: Psychological Funnel

This campaign represents a sophisticated evolution beyond simple credential harvesting. Rather than immediately demanding a password, attackers use a multi-stage funnel designed to incrementally build trust through micro-commitments, exploiting the victim's sense of justification and reward.

Examples of landing pages created to trap the users with free gift scams.

The attack initiates with The Survey (Pretexting). The victim is presented with 10–15 brief, legitimate-looking questions regarding their experience with the targeted brand. This step is a form of labor that creates a psychological investment, convincing the victim that they have earned the high-value prize through their effort.

The funnel reinforces this belief with Social Proof. The reward landing page features simulated social media comment sections, displaying purported winners who claim to have already received their prizes. This manufactured credibility leverages human bias to overcome lingering suspicion.

The final stage is The Final Payment Lure. The victim is requested to pay a small delivery fee, typically $5.00–$10.00. This seemingly negligible cost legitimizes the high-value item, coercing the user into willingly entering their credit card and Personally Identifiable Information (PII) on the payment page.

The moment the user submits their payment details, the data is instantly exfiltrated to the attacker's command and control (C2C) infrastructure.

Example of the data exfiltration process, highlighting the immediate transfer of captured credit card details and PII to the attacker’s control C2C.

Technical Artifacts and Infrastructure

The campaign's success relies on a "churn and burn" domain strategy. Our analysis shows that attackers are registering hundreds of new domains daily to stay ahead of blocklists.

Technical Indicator Observed Behavior Confidence
Rapid Domain Churn

Use of hundreds of NRDs

(Newly Registered Domains) with a lifespan of <48 hours

HIGH

TLD Concentration

High usage of low-cost TLDs

HIGH

High-Fidelity CSS

Use of “pixel-perfect” clones of official brand landing pages to evade visual scrutiny

HIGH

Social Engineering

Use of scarcity (countdown timers) and social proof (fake comments)

HIGH

MITRE ATT&CK Mapping

  • T1583.001 (Acquire Infrastructure: Domains): Automated registration of infrastructure to host harvesting kits.
  • T1566.002 (Phishing: Spearphishing Link): High-volume email distribution using trusted brand lures.
  • T1598 (Phishing for Information): Multi-stage surveys used to collect PII and financial credentials.

How to Stay Safe

This campaign highlights the evolving nature of social engineering, where attackers move beyond simple link-clicking to complex, multi-stage interactions. Securing the digital workforce requires moving from a reactive, 'training-first' approach to a Risk-First strategy. To defend against these threats, KnowBe4 recommends:

  • Perimeter Defense: Implement advanced security controls to address infrastructure-level threats like newly registered domain (NRD) churn and high-fidelity brand impersonation.
  • DNS Filtering: Implement policies that automatically flag or block Newly Registered Domains (NRDs) that are less than 30 days old.
  • Critical Thinking: Remind users that legitimate corporations will never ask for credit card information via a third-party survey link to pay for a free reward.
  • Risk-First Security Awareness: Leverage AI-driven, individualized training that prepares users for the complete spectrum of social engineering: phishing, vishing, and deepfakes. By using a dynamic Risk Score to deliver just-in-time coaching, organizations can ensure employees recognize the hallmarks of high-pressure social engineering tactics before they engage with the lure.

Indicators of Compromise (IOCs)

The threat landscape evolves rapidly. For the most current list of domains, hashes, and behavioral signatures related to this campaign, please refer to the latest intelligence update from KnowBe4 Threat Labs.

View the full IOC list on X: https://x.com/Kb4Threatlabs

For real-time updates and ongoing threat intelligence, follow the KnowBe4 Threat Lab analysts on X: @Kb4Threatlabs