FAKE CONSUMER SURVEYS

[Published 12/27/21] A very common type of clickbait used by cybercriminals is a “rewards survey.” We’ve seen many dozens of these bogus surveys over the years. Here’s one particular story told to us by a Canadian citizen related to this scam…

One of our readers from Canada told us last week that she had taken a flight on the Canadian Airline called WestJet on December 7. However, she happened to notice an extra charge from WestJet the next day on her credit card. She said  “Last night I complained to my credit card company about WestJet billing me twice for an inflight purchase. They said they would launch a dispute.”

On December 9, this woman received the craziest email she’s ever received. The subject line was “ExpiringSoon : Your WestJet SurveyOfferRewardWorth UpTo$90 “QFRS.” The email came from “FreshCustomerSurvey” through the domain called uncanonization[.]com.  We know Canonization as the official declaration of sainthood for a deceased person of the Christian faith, such as Mother Theresa. So we have to assume that “uncanonization” means to remove that sainthood! The woman who received this email pointed out 3 things to us worth noting and also immediately recognized this email as a fraud. First, she asked what’s all the noise about a university student?” The top of the email contained two paragraphs of text that were lifted from University communications found online.  One paragraph came from the University of Chicago and the other from the Drexel School of Education, plus about 30 oddball codes that littered the paragraphs. The text then ended with a couple of sentences about activating an account with “MusicDiffusion®.” After this bizarre text came the “Online Shopper Survey About : Airline Purchases.” Again, all links pointed to the website to remove your sainthood!

What disturbed the woman the most was the unusual coincidence that she had called her Mastercard company to dispute the WestJet double charge less than a day earlier and then she received this fraudulent WestJet Airline survey! We both agreed that she was staring down a very bizarre rabbit hole but she’s not Alice and it wasn’t Wonderland!  Look carefully at this bizarre email and then we’ll unpack the details and share with you how deep this rabbit hole goes after we jumped into it. (Click the image to enlarge it.)

WHY IS THIS EMAIL FRAUD AND UNSAFE TO CLICK?

    1. Did you notice that the subject line was missing spaces between many words? That’s a trick used by cybercriminals to avoid the watchful eyes of anti-spam servers. The oddball text from the two universities and “MusicDiffusion” was supposed to be white against a white background. The woman would have simply “seen” this as empty space. This text is also inserted to try to fool anti-spam servers into seeing this as a legitimate email. (NOTE: When we searched for “MusicDiffusion” in Google, the first link returned was an Ad about “Playlist Promo Scams to Avoid.” Interesting.)

    2. The email came from the domain uncanonization[.]com. This unsaintly domain was registered by someone named “DaKota Green” from 5660 Strand Court, Naples, Florida on September 3, 2021. This is only about 3 months earlier. Furthermore, we looked up 5660 Strand Court and discovered that it is an address for Windsor Professional Center, a service that sells “virtual office space.”  The age of this domain and use of a “virtual office” screams fraud! (Also, who spells her name like “DaKota” with a capital K anyway?) According to DomainBigData.com, someone named Dakota Green registered 127 different domains between April, 2017 and January, 2021. Most of them were registered in 2019. All but 9 were registered through NameCheap, a Registrar OFTEN used by criminals to register malicious domains. (.e.g. Read “Weaponizing Domain Names” and “Bad .Men at .Work. Please don’t .Click.” to understand more about the misuse of Namecheap by criminals.) We checked on another one of DaKota’s more recent domains, called unmyopic[.]com and registered on January 20, 2021. We  learned that it is hosted on a server in Timisoara, Romania! Nearly ALL of DaKota’s 129 domain names are oddball words, diseases or are misspelled words, such as superrfast[.]net, slumberously[.]com or iliocolitis[.]net. DaKota doesn’t seem like a real person to us and has VERY low credibility about the many domains “she” registers!

    3. We took a screenshot of the destination linked to the woman’s WestJet email and this is where the rabbit hole became a chasm of fraud! Click to enlarge the screenshot for her “SHOPPER SURVEY.”

We can say with confidence that this “shopper survey” is a complete fraud.  Over many years, we’ve seen this exact survey, or nearly exact survey, dozens of times! They are meant to collect personal information of participants and sometimes to target people with malware. They ALL have a timer telling visitors that they have only minutes before this offer expires. However, if you let the timer tick down to zero, it just restarts!  These surveys also provide 4 to 8 “verified” reviews by people who presumably took the survey and were pleased by the gift they received, or how much fun the survey was. (A fun survey!? Now THAT’S fraud!)  All of these “verified” people are completely fake and use stolen images.  Here’s simple proof of this fact.  We Googled two of the exact quotes used in the above survey, one by “Beverly Edwards” and the other by “AnaMaria Juhart.” We discovered those exact quotes on several other survey websites but by people using other names and photos! Below is one example using the quote that begins with “I was really bored so I decided to take the survey.”  It was found on 3 other bogus surveys, including a website called myexclusivesurveys[.]com.  This exclusive survey site was registered about a week before Halloween in St. Kitts and Nevis Islands. We found this exact  same quote in a survey dating back to January 30, 2019!  

When we searched for the exact quote “All of the products looked brilliant! What is a girl to do?” we were led to the exact same bogus survey sites that turned up in our first search.  This is also true if we searched for another quote found on uncanonization[.]com saying “Just got a cheap Dashcam! So so good!”  And yet, each survey site attributes these quotes to different people with different photos!

WALGREENS LUCKY CLIENT SURVEY  (November 16, 2021)

On November 16, 2021, one of our readers received an email to take a Walgreens survey and possibly claim a reward.  But that email came from the oddball domain maveen[.]net, which had been registered in Iceland on March 23, 2021.  The link in this bogus email pointed to the domain called sendibt3[.]com which causes one to be redirected to multiple different websites, including volcanosnose[.]com (registered on November 1, 2021) and pagesperso-organge[.]fr (registered in France and hosted on a server in Paris, France.) [It is important to note that sendibt3[.]com looks very similar to a legitimate marketing service that uses sendit.com. Furthermore, Hybrid-Analysis.com has identified previous links using sendibt3[.]com as malicious, and The Daily Scam has reported such malicious links as well, such as in “The Week in Review” section of our September 15, 2021 newsletter.]

On November 20, we followed this clickbait to it’s destination server and found the following “Wellness rewards survey” about “your Pharmacy experience.” Similar to the CVS Pharmacy survey above, there are several things to note that are fake….

  • The bottom of the survey shows a timer which begins at 7 minutes and shows that your offer expires after that time.  If you wait until the timer gets to zero, it will simply restart. This is meant to rush you into making a poor decision without evaluating the possible consequences!
  • The page shows information from 8 “verified” people who have supposedly taken this survey in the last 3 hours to 3 days and offer quotes on their experiences.  They are all fake!  See details below.

Grace Cox was quoted as saying “I had no use for the weight-loss product, and decided to give it to my friend.” We used Google to search for this quote from Grace Cox in the above Walgreens Wellness survey, and discovered this exact same quote on two more bogus survey websites: claimspotitems[.]com and pick-up-saving[.]co.  The former was registered in the Netherlands on October 15, 2020 and the latter was registered on June 8, 2021, both anonymously.  When we took a screenshot of the survey found on pick-up-saving[.]co we discovered that Grace’s quote was now attributed to someone using the name Marisa Flowers for a survey related to T-Mobile last October!

On December 27, 2021 we used Hybrid-Analysis.com to evaluate the link that Google found to the survey posted on pick-up-saving[.]coOne of it’s primary evaluation tools (urlscan.io) found signs of MALICIOUS ACTIVITY on this website.  Using Google, we searched for another quote found on the survey at pick-up-saving[.]co and discovered this identical quote on at least 8 malicious survey sites across the Internet!  They included the domains:

Ilovetranslation[.]com
Claimspotitems[.]com
Northerclicks[.]com
Consumer-choice[.]org
Consumersurveynetwork[.]com
Survey4gifts[.]com
Myintelligenceoutreach[.]com
Thecarinsurancehelper[.]com

These cybercriminals have been using this same content for many years! Don’t believe any of it and don’t take these bogus surveys! We can promise you that it won’t end well for you.  In 2015, a blogger named Lenny Zeltser published a very interesting analysis of these kinds of bogus surveys and concluded, as we have, that they are malicious.  Check out his article as well called “The Manipulative Nature and Mechanics of Visitor Survey Scams.”

If you are on a survey site and are told you only need to pay shipping and handling to get free merchandise, don’t believe it!  This next screenshot was the conclusion of the survey from pick-up-saving[.]co.

The next time you see an email like this one about getting a reward for taking a 30-second survey, LUNGE for the delete key!