Online Survey Scams – New Machine Learning Experiment Uncovers that Over 90% of Surveys Are Not Legitimate
Online surveys can be a powerful marketing tool for organizations in the digital age. Surveys provide valuable insights into user behavior and attitudes, and in the process is expected to generate nearly $7 billion by 2022 for online survey platforms in the US.
Some also reward users with cash, gift cards, or product giveaways for filling out surveys. But, it’s not like these surveys offer a lot of money. As revealed by Survey Police, most legitimate market research firms don’t reward more than five dollars per completed survey. They also never suggest that someone could make a living by filling out online surveys.
But not everyone knows that. Some think it’s possible to turn filling out online surveys into a full-time career. Scammers, in turn, capitalize on this confusion to victimize unsuspecting users.
In this post, I’ll discuss what online survey scams entail and pinpoint some of the telltale signs that give away these ruses. I’ll then explain a recent experiment designed to better understand these ploys, including where they’re developed and what they’re actually designed to achieve.
Online Survey Scams and their Telltale Signs
An online survey scam is a type of social engineering attack where fraudsters trick users into filling out forms that steal their information or install malware onto their computers. All with the promise of making large amounts of money from home.
According to The Penny Hoarder, there are certain warning signs that indicate when an online survey is likely a scam.
- They ask for money upfront. Many online survey scams ask users to pay a membership fee to a fictitious club or organization that claim they will send them information about upcoming paid surveys. Others ask users to buy a training kit that’s actually filled with URLs that someone can easily find using Google. Both of these scenarios highlight an important reality: if they need to pay money upfront before they’ve done any work, the opportunity in question is probably a scam.
- They offer too much money or use questionable payment practices. There are plenty of websites out there that claim a user can make $25+ per survey and complete as many as 10 surveys a day. But that’s just not true. Scambusters looked into legitimate online surveys and didn’t find a platform by which someone could make even $10 an hour. Online surveys are useful only for someone looking to make a little supplemental income. Those that offer anything more are too good to be true.
- They want to pre-qualify you with hundreds of questions. Some online survey scams require that users complete a pre-qualifying questionnaire under the guise of determining whether they fall into a targeted demographic. Oftentimes, these questionnaires consist of hundreds of questions, including some which ask for an applicants’ personal information. Upon completion of the questionnaire, users learn they have not been selected to take the survey when, in actuality, they’ve just taken it. Fraudsters then use the personal information submitted by the users to place them on a spam email list maintained by the fraudulent company or other suspicious marketing firms. They might also use the collected data to commit identity theft.
These indicators have made their way into a number of real-world examples with creative lures. In the beginning of 2016, Snopes reported on one such online survey scam advertising free lifetime passes for well-known fast-food chains like KFC and McDonalds. Another said that a marketing firm had chosen users based on their IP address to answer some questions about their Internet service provider (ISP) and afterward earn “exclusive offers worth at least $70.” And who can forget the Facebook “Dislike” button scam that promised to give users access to a Dislike button after they filled out a survey? (Not surprisingly, online survey scams abound on social media platforms like Facebook.)
Analyzing Online Surveys with Machine Learning
Clearly, attackers have an interest in deploying online survey scams. But details about these schemes, including where they come from and the rate at which they expose users to certain types of digital threats, have remained elusive. That is until Northeastern University decided to take action.
My former Ph.D. student at Northeastern University, Amin Kharraz, decided to study online survey scams. He built a tool called “Surveylance” that uses machine learning to identify malicious surveys. Trained on many online surveys, Surveylance’s implementation consists of three modules.
- The Crawling module automatically visits a website using a modified browser.
- At that point, its Classification module determines whether a survey hosted on that site is malicious based on the indicative images, user input fields, third-party scripts, and other features on which it was trained.
- It then uses its Survey Filler module to try to automatically fill out the survey so that it can understand how that particular questionnaire interacts with a user.
Amin conducted two experiments using Surveylance. It first used the tool to examine a labeled dataset of good and bad sites in order to train the machine learning software and ensure that its processes actually work. We then set Surveylance loose on Google with certain keywords that are known to bring back malicious surveys.
In total, the tool automatically filled out 130,000 surveys and identified the malicious online ones with 95 percent accuracy. Its false positive rate, by comparison, was just over one percent.
What We Learned
The exercise yielded some important insights into the online survey scam landscape. Generally, survey scammers tend to distribute malicious binaries, PUPs and redirect users to other survey pages and adult content to monetize their operations in addition to stealing a user’s sensitive information. More specifically:
- Nearly seven in 10 of the survey publishers resolved to just eleven /24 network addresses. This finding indicates that bad guys are limited in number, with multiple survey scam campaigns relying on the same infrastructure for their operations.
- The bulk of detected online survey scams originated from Russia, Eastern Europe Central, and South America.
- Potentially unwanted programs (PUPs), such as spyware or adware, were the most common type of threat to which online survey scams exposed users (42.2 percent of questionnaires).
- Other results of online survey scams were the payment for and download of adult content (25 percent), malware and malicious documents (7.8 percent), surveys to collect additional personal information (7.6 percent), and other scams (12.4 percent).
Surveylance’s maiden experiment helped confirm that digital attackers are constantly finding new ways to trick users using social engineering techniques. Even more importantly, the effort revealed that machine learning can effectively detect online survey scams. Looking ahead, this revelation bodes well for organizations interested in using machine learning to protect users against these and other types of online ploys.
Latest posts by Engin Kirda (see all)
- Online Survey Scams – New Machine Learning Experiment Uncovers that Over 90% of Surveys Are Not Legitimate - November 27, 2018
- Learn by Doing: Improving Today’s Security in Education to Train Tomorrow’s Infosec Pros - September 27, 2018
- Malware in the Wild: Evolving to Evade Detection - April 15, 2015