Surveylance: Automatically Detecting Online Survey Scams

Amin Kharraz, William Robertson, Engin Kirda
In Proceedings of the IEEE Symposium on Security and Privacy (Oakland)

malware

Online surveys are a popular mechanism for performing market research in exchange for monetary compensation. Unfortunately, fraudulent survey websites are similarly rising in popularity among cyber-criminals as a means for executing social engineering attacks. In addition to the sizable population of users that participate in online surveys as a secondary revenue stream, unsuspecting users who search the web for free content or access codes to commercial software can also be exposed to survey scams. This occurs through redirection to websites that ask the user to complete a survey in order to receive the promised content or a reward. In this paper, we present Surveylance, the first system that automatically identifies survey scams using machine learning techniques. Our evaluation demonstrates that Surveylance works well in practice by identifying 8,623 unique websites involved in online survey attacks. We show that Surveylance is suitable for assisting human analysts in survey scam detection at scale. Our work also provides the first systematic analysis of the survey scam ecosystem by investigating the capabilities of these services, mapping all the parties involved in the ecosystem, and quantifying the consequences to users that are exposed to these services. Our analysis reveals that a large number of survey scams are easily reachable through the Alexa top 30K websites, and expose users to a wide range of security issues including identity fraud, deceptive advertisements, potentially unwanted programs (PUPs), malicious extensions, and malware.