Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Threat Actors Steal $80 million per Month with Fake Giveaways, Surveys

Threat Actors Steal $80 million per Month with Fake Giveaways, Surveys

Scammers are estimated to have made $80 million per month by impersonating popular brands asking people to participate in fake surveys or giveaways.

Researchers warn of this new trend in global fraud schemes involving targeted links to make investigation and take-down increasingly challenging.

According to current estimates, these massive campaigns resulted in an estimated $80,000,000 per month, stolen from 10 million people in 91 countries.

The scam themes are the typical and “trustworthy” fake surveys and giveaways from popular brands with the holiday season making targets more susceptible to fraudulent gift offerings.

Also Read: New Licensing Requirements For Cyber-Security Service Providers in 2022

A global operation

According to a report by Group-IB, there are currently 60 known scam networks that use targeted links in their campaigns, impersonating 121 brands in false giveaways.

Each network uses an average of 70 different Internet domain names as part of their campaigns, but some find great success with fewer domains, which indicates that quality beats quantity when it comes to scams.

“For each specific website that hosts fraudulent content, Group-IB researchers were able to analyze where the visitors came from.” 

“The main sources of traffic for targeted links operators are India (42.2%), Thailand (7%), and Indonesia (4.4%), among others.”

Scam campaign stats
Scam campaign stats
Source: Group-IB

However, Group-IB told BleepingComputer that more domains do not always equate to more traffic for a campaign.

“The largest detected network in terms of the number of domain names included 232 domain names, according to the findings of Group-IB’s DRP team. It is possible that not all of the websites remain active. Such a large number of domains is created to make it possible to redirect the traffic to a related resource as soon as possible if an active one is blocked. This way, the fraudsters ensure continuous operation of their scamming scheme.

However, very often, a large number of domain names on the network does not mean that this network is the most visited. Group-IB, for instance, has recorded a network of resources containing 51 domain names with targeted links but was one of the largest networks in terms of the traffic attracted.

Judging from the number of visitors, almost 10 million people can fall victim to the scamming scheme per month on the above mentioned network alone, while the traffic attracted to the largest network in terms of the number of domain names was about 2-fold less.” – Group-IB.

Info-grabbing redirections

The scammers target their victims via contextual advertising, advertising on legal and completely rogue sites, social media posts, forum posts, SMS, mailouts, and pop-up notifications.

Also Read: A Closer Look: The Personal Information Protection Law in China

The goal is to direct them all to scam sites that are clones of the official sites of the impersonated brands.

While Group-IB did not share a list of brands targeted by these campaigns, BleepingComputer has seen fake surveys and giveaways impersonating Google, Target, Amazon, Microsoft, Apple, and Samsung in the past.

Clicking on the first URL triggers a lengthy string of redirects, during which the actors gather information about the prospective victim, like their language, IP, browser, location, etc.

This process is essential for delivering a page that matches each victim’s demographic and potential interests.

Targeted links redirection scheme
Targeted links redirection scheme
Source: Group-IB

Simultaneously, this process severely hampers the investigation and take-down of these fraudulent sites, especially when the scam networks are so large and use many sites.

In most cases, the victim will be presented with a prize-winning opportunity that is only a step away from being delivered on their location.

Scam message offering a smartphone for free
Scam message offering a smartphone for free
Source: Group-IB

At this final step, the actors request full personal details, bank card data (including expiration date and CVV) and sometimes even ask victims to perform a small “test payment” to allegedly verify themselves.

These details are then used for fraudulent online purchases, the registration of fake accounts, and the assumption of counterfeit identities. In most cases, they are sold to multiple actors on the dark web.

How to tell a scam

Big brands offer Christmas gifts these days, and they also run giveaways or surveys with prizes, which is precisely what the scammers aim to exploit.

To ensure the legitimacy of a giveaway, check the email account and confirm that the website address is an official domain of the brand.

If a brand runs a campaign, it should be easy to find a relevant post on their official social media channels, and even there, make sure you’re checking the verified accounts.

Finally, check the domain on the giveaway page you’ve landed and confirm it belongs to the claimed brand.

Under no circumstances would any prize winner have to share their banking details or any other personal data besides their name and postal address.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us