E-Threats

Survey reaches for your pocket with empty giveaway promises

The good news is that you won’t be sent items that you never requested. The bad news? You still pay for them.

A survey scam recently analyzed by Bitdefender follows a well-worn path that is so common it rarely makes a mention in the news. But we find ourselves compelled to cover these types of scams on occasion to remind users that, like landmines left over from an old war, even old scams claim new victims.

In this scam, an online survey asks users three questions about their video watching habits on YouTube in return for an allegedly big chance of winning a Macbook Air®, iPhone 4S®, or a iPad 2®.

The survey window pops out of a torrent page to inform the user he has been selected to answer a few questions about online video watching routine. The user may be lured with gifts, online games, or tempting services. They’re all advertised as free, yet they never are.

The survey window looks like this:

 “Congratulations! You’ve been selected from the Iasi region to take part in our annual visitor survey. This will only take 30 seconds of your time and will enhance user experience. Upon completion you will have the opportunity to get a Macbook Air®, iPhone 4S®, or a iPad 2®. Start Now!”

The user is given a link that takes him to a dedicated survey page where he is shown the three questions.

The answers probe the user for personal data such as name, address, telephone number, and phone provider. This sensitive information will most likely be used to overcharge the user with services he never asked for and will never receive.

The crook behind this scam uses ip-to-location to personalize the greeting. If, say, you’re in San Francisco, your message will read: “You’ve been selected from the San Francisco region.”

The Privacy, Terms and About Us sections are just as lengthy and tedious as their legitimate counterparts. The scammer spends a lot of time filling in that data to gain credibility and, with the reams of fine print, discourage the victim from reading it all.

This scam would not trick a trained eye, but unfortunately a lot of innocent users out there could believe they are having a lucky day, and fill in their private data only to have their number signed up to overcharged services (ringtones, horoscope and so on), or to have their private data stored into a database for later, when the phishing mood kicks in.

This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Loredana BOTEZATU

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

3 Comments

Click here to post a comment
  • Hello, good article… But I have one question…. I can imagine that the popups ar the most automated way of them getting this type of data but an email address, phone number, full name and home address is easy to find online from millions of people…. So…… what is the difference of getting the info from a pop up and page formjhh than grabbing it from around the net? Are you responsible for not reading the policy terms and conditions and that makes it be your responsibility so then they are free from the charges that may occur?

    • Hello,

      Yes someone can collect names, addresses and phone numbers from all over the Internet, but crooks use attacks such as the one described above to target a certain category of people – those who use torrents, for instance. Then, by having the user filling in data about himself, the attacker makes sure he collects real and updated information on the victims. Plus the work is more or less automated.

      As for the policy terms and conditions, it is very important for the user to read them first.