The Manipulative Nature and Mechanics of Visitor Survey Scams

“You have been selected to take part in our anonymous survey,” proclaims the cheerful voice emanating from the Daily Visitor Survey web page. So starts a manipulative process designed to persuade victims to reveal credit card and contact details in exchange for dubious rewards. The numerous variations of such scammy sites employ the same persuasion tactics and may have been coded by the same company. Let’s take a look.

The Victim’s Experience

Survey scam websites utilize various techniques to lure potential victims. In one incident I examined, the scammers purchased services of a company that controlled various once-legitimate domains, paying the firm to redirect people attempting to follow outdated links. Once redirected, the visitor was subjected to the experience I captured in the following video.

When researching this incident, I visited the following malicious link from my lab: http:// customer.visitorsurvey.co /usa/prs2/index.php?t202id=227&c1=diaryofajewell.com&t202kw=tango-vee-UjbSMdBb. I recommend against going that site; however, you’re welcome to review the source code of its landing page on Pastebin. (Also note that the URL refers to diaryofajewell.com, which is another malicious site that was involved in the link redirection folow.)

Such survey sites ask visitors to answer several multiple choice questions. In this example, the person was presented with 5 questions, such as “In a typical week, how likely are you to use social networking websites?” After the questions have been answered, the site showed several “exclusive rewards” choices, comprised of products that were “in extremely high demand.” For instance, the following Advanced Anti-Aging Cream, worth supposedly $99.95, was offered for free. The lucky recipient would merely need to pay $4.95 in shipping fees.

Thank you for completing the survey

The visitor was reassured by several gleeful testimonials from satisfied customers, who made proclamations such as “I was bored so I did the survey, but I really liked the skin care cream, it worked really well.”

Were benevolent sponsors truly offering awesome deals to thank people for filling out the visitor survey? Of course not. The answers to the survey questions were irrelevant, but the act of taking the survey played a key role in the scam.

Social Engineering and Persuasion Tactics

Even the more gullible individuals tend to be cautious of free gifts offered out of the blue. To make the scenario just bit more believable, the people running site survey sites make the person do a bit of work. The primary reason for the survey to exist, I suspect, is to provide the scammer with some excuse to offer a reward.

Moreover, after spending a few minutes filling out the survey, the victim is more vested in the process and its outcome. As the result, he or she will be less likely to close the page after learning about the shipping fee. Since they’ve already gone this far, $4.95 is a minor obstacle between them and the promised reward.

Note that the site above showed that only one item of the reward was remaining. This is an example of the scarcity principle, which is linked to people’s tendency to place higher value on the items that are scarce. Scammers sometimes apply the scarcity principle to time, perhaps displaying a countdown to show the number of minutes when the offer will expire.

Another social engineering approach used in this scam incorporates the principle of social influence, whereby individuals are likely to conform to behavior of others in uncertain situations. The scammer accomplishes this by presenting encouraging testimonials throughout the user’s experience on the site, showing encouraging comments about how easy the survey was and what wonderful rewards they received.

The testimonials are fake. Their text is hard-coded into the code of the scammy site, and the dates are automatically generated with respect to the current date.

Fake Customer Testimonials

Kathlyn Roth and Lana Keefer, how could you let us down?

The site also includes an area where the visitor can express their own thoughts about the experience. This comment field is fake : its sole purpose is to aid in persuading the person that the testimonials were provided by real people.

Fake Comment Confirmation

For another variation of this scam, which used the same welcome.mp3 file to greet survey takers, take a look at this automated analysis at Malwr.com, conducted in January  2015. The sound file’s meta data indicates that it was created in 2012, but that could be a fake date. If you’d like to see other examples of social engineering techniques employed in a similar context, read my write-up about the Home Income Kit scam and my overview of the scarcity principle technique.

Tracing the Origin of the Site and Its Code

The domain hosting the site outlined above, visitorsurvey.co, was registered in October, 2014. Though the majority of the domains I’ve seen in such scams employ private registration, Whois records for this domain reveal contact details, though they might be fake:

Registrant Name: Mohamad Rasool Malekbala
Registrant Address1: 3-2 F
Registrant City: Kajang
Registrant State/Province: Selangor
Registrant Postal Code: 43000
Registrant Country: Malaysia
Registrant Country Code: MY
Registrant Phone Number: +60.60108939817
Registrant Email: m.r.malekbala@gmail.com

This email address is associated with 4 other domains according to DomainTools records. I haven’t had a chance to explore these sites, but I suggest not visiting them unless you set up a lab for performing such investigations:

cashppd.com
savemoretoday.net
savingdailybudget.com
top-prod.com

Did Mr. Malekbala write the code that implemented the survey website, assuming he is the one who placed the code there? Doubtfully.

There are probably several companies  that develop the code for visitor survey sites. I came across one such software development shop, based out of Russia. This group’s public Github account includes source code that implements much of the functionality described above, as you can see in their survey_normal repository, survey_christams repository and conveniently-named beautytesters.co.uk repository.

Github Repositories

The scammy site beautytesters.co.uk live as of this writing and presents the familiar visitor survey scenario, captured in the screenshot below. You can view the source code of its landing page on Pastebin if it disappears from the Github repository.

beauty-testers

The web is littered with variations of the visitor survey scam. Its objective, at best, is to charge fees that victims don’t expect and sell merchandise they don’t need. More likely, victims will be hit with unexpected charges and their personal information might be sold for other nefarious purposes. If you have additional details about such scams, please let me know.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more