Deceitful Charity Lottery

Co-Author: Avdhoot Patil

Lottery scams are not new to the world of phishing, so phishers are always seeking new fake lottery strategies. Phishers gained interest in schemes that involved donating to charity using lottery prizes. They utilized the idea in a phishing site which claimed that a popular bank was organizing a lottery for its customers and that a portion of the prize money would be donated to charity. Phishers believed that customers would be duped by the twin advantages: winning prizes and donating to charity. The phishing site was hosted on servers based in Iowa Park, USA.

A link to login was provided on the phishing site urging customers to enter their credentials. The link lead the customers to a phishing page that prompted the customer for their name, ticket number, and email address:
 

Figure 1. Phishing site asking for full name, ticket number and email address
 

After the required information was entered, the phishing site displayed the customer’s lottery ticket details, namely, the ticket number and the winning reference number. The lottery account balance was highlighted as EIGHT HUNDRED THOUSAND POUNDS. A button, labeled transfer, was provided at the bottom of the page to transfer the lottery prize to the customer’s bank account:
 

Figure 2. Phishing site prompting for lottery ticket details
 

After the transfer button was clicked, the phishing site asked for details of the customer’s bank account to which the prize money was to be transferred. The details included the customer’s account name, account number, bank name, and country. Finally, customers were asked to choose the charity organization they wished to donate to. If customers fell victim to the phishing site, phishers would have successfully stolen their confidential information for financial gain.
 

Figure 3. Phishing site asking for bank account details
 

Figure 4. Phishing site asking the customer to choose a charity organization
 

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.