Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Phishers Offer Lottery Prizes

Created: 18 Mar 2011 20:13:20 GMT • Updated: 23 Jan 2014 18:22:01 GMT • Translations available: 日本語
Mathew Maniyara's picture
+1 1 Vote
Login to vote

Recently, phishers have used several types of bait on phishing sites where they impersonated universities, asked for fake donations, targeted celebrities, etc. Now, they are trying their luck on end users who play the lottery with a brand based in the UK. The bait used in the phishing site was a lottery prize of 1356 pounds. The phishing site prompted users to enter their confidential information to have the lottery prize credited to their debit card account.

Lottery is a game where there may be only one winner among participants. But what are the odds for a phisher to harvest the confidential information of lottery winners?

The bigger the lottery prize, fewer are the number of winners. Hence, the motive of phishers was to target a large number of users because they perceive that by duping more users, they would increase their chances of phishing confidential information. Financial gain is a common motive for phishers but this time they were seeking a larger sum from the bank accounts of lottery winners.

The lottery company concerned had advised that its website is safe and secure and that it never requests personal details, discloses any prize amounts, or asks for up-front fees. Users are advised to be on their guard against Internet fraudsters.

To receive the lottery prize, users were required to complete a three-step process. The first step was to provide personal details as identity verification. The personal details included postal address, mother’s maiden name, date of birth, and telephone number. The second step required debit card details: card type, card number, card expiration date, CVN/CVV, and card secure password. The third step was for confirmation, where users were asked for a secure code associated to the brand. After the required information was entered, the phishing site acknowledged that the payment records had been saved. Users were asked to check their debit card balance and, if the amount hadn’t been processed, they were advised to wait for 24 hours. The phishing site used an IP domain (for example, domains like hxxp://255.255.255.255) hosted on servers based in Tokyo, Japan.

Internet users are advised to follow best practices to avoid phishing attacks:

•    Do not click on suspicious links in email messages.  

•    Avoid providing any personal information when answering an email.

•    Never enter personal information in a pop-up screen.

•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

Thank you to the co-author of the blog Avdhoot Patil.