Back-to-School Spam: Proxy Spam via College Qualtrics Accounts

The latest trend of “proxy spam” in my spam folder is Qualtrics surveys from college and university accounts. While surveys like this can be annoying sometimes, that’s not what’s happening here.

What Is “Proxy Spam”?

“Proxy spam” is the term I use for e-mail spam that is sent not from a spammer directly, but rather from a third-party service that has been exploited. One service I remember seeing in my spam folder a few years back was Google Forms: Spammers exploited the “response receipt” feature to send “confirmation” e-mails that were really just spam. Specifically, a spammer would create a form that contained whatever they wanted to send, and then put a target’s e-mail address as the supposed submitter of the form. The target would then receive the confirmation e-mail with the spammer’s message.

This type of spam can be more effective because it supposedly comes from a legitimate sender, Google in this case. As a result, it has a higher chance of bypassing spam filters and convincing people to act on it (fill out a phishing form or invest in a cryptocurrency scam, for example). It also obscures the true origin of the message, which makes the spammer harder to track down.

Proxy Spam via Qualtrics

Let’s get back to the more recent trend. You may have heard of Qualtrics from customer satisfaction surveys or things like that. Similar to Google Forms, Qualtrics hosts the survey and collects the data for the business or organization that created the survey. Lots of schools (including my alma mater) use Qualtrics for different kinds of surveys and forms, and I suspect these accounts have been compromised to send spam.

Here’s an example of this sort of spam e-mail that I received:

Spam e-mail

From: ClientAssist < Meta_Mask > <noreply@qemailserver.com>
To: [redacted]
Reply to: ClientAssist < Meta_Mask > <orientation1@ncf.edu>
Subject: Help Desk : New Notification

Your Wallet Is About to Be Suspended

Apply for KYC Verification

We are writing to inform you that in order to continue using our wallet service, it is important to obtain KYC (Know Your Customer) verification. KYC verification helps us to ensure that we are providing our services to legitimate customers. By completing KYC verification, you will be able to securely store, withdraw, and transfer funds without any interruptions. We urge you to complete KYC verification as soon as possible to avoid suspension of your wallet.

Start Now [link]

At the bottom of the e-mail (after a large amount of blank space) is a link to a survey:

Link to survey at bottom of e-mail

Follow this link to the Survey:

Or copy and paste the URL below into your internet browser:
https://ncf.iad1.qualtrics.com/jfe/form/[redacted]

When I follow the link, I get to a Qualtrics survey for a college orientation:

Introduction to survey

On behalf of the Orientation Team at New College of Florida, thank you for attending Orientation. We hope that you had a positive experience and you are prepared to kick off the semester. Please take the time to fill out this short survey. If you [...]

I believe this was originally a legitimate survey that the college created for its students. The From address is a standard address used by Qualtrics, and the survey link seems reasonable. Most likely, a spammer gained access to an account at the college and modified the invitation e-mail. Qualtrics gives senders a lot of flexibility to customize invitations, so adding completely unrelated content is trivial.

What to Do?

Reporting these e-mails has been a challenge. With Google Forms, there’s a handy “Report Abuse” link at the bottom of every e-mail, but that isn’t the case here. I did try to alert one of the colleges on Twitter but I don’t know if that did much good. I’d rather have Qualtrics take measures to detect and block spammers, or at least provide an easy way to report spam e-mails.

I’ve kept full copies (including headers) of the e-mails I’ve received, so I’d encourage anyone to contact me if they’d like to analyze them.

Reply to this post via: E-mail, Twitter
Philip Chung
Philip Chung
Software Developer