Phishers Celebrate Christmas with Fake Lottery Prizes and Gifts

Co-author: Avdhoot Patil

Special occasions like Christmas have been a common ground for phishers to introduce new baits in their phishing sites. Last Christmas was no different and this time they used fake lottery prizes and gifts as baits. The phishing sites were hosted on free webhosting sites.

In the first example, a phishing site spoofing a gaming brand stated they wil reward the user with a Christmas gift. The phishing site exclaimed it hoped users like the gift and wished to encourage them to playing the game. To receive the fake gift, the user is asked to enter their login credentials and also complete a simple form.

The questions asked in the form are the following:

  • Will you be playing this Christmas?
  • If you could help, which way would you help us?
  • What is your age?
  • Please select your gift.

The choice of gifts included credit points, VIP status, club membership, and a selection of badges.

After the credentials are entered and the form completed, the following page acknowledges the submission of user information. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen the information for identity theft purposes.

Phishing campaigns were prevalent in the banking sector as well. A phishing site impersonating a highly reputed bank was observed. The fake site claimed a lottery prize was available for their customers. The type of lottery offered was a Christmas raffle draw and the bogus prize money was in the amount of 2.5 million dollars. Customers were asked to enter their full name, email address and password to be eligible receive the prize money. A note was also provided (shown below) which prompted customers to look for a confirmation email after submitting information. After the user's credentials are entered, the phishing page redirects to the legitimate bank’s website, creating the illusion that a valid verification took place.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.