Prosecutors suspect man hacked lottery computers to score winning ticket

Prosecutors say they have evidence indicating the former head of computer security for a state lottery association tampered with lottery computers prior to him buying a ticket that won a $14.3 million jackpot, according to a media report.

Eddie Raymond Tipton, 51, may have inserted a thumbdrive into a highly locked-down computer that's supposed to generate the random numbers used to determine lottery winners, The Des Moines Register reported, citing court documents filed by prosecutors. At the time, Tipton was the information security director of the Multi-State Lottery Association, and he was later videotaped purchasing a Hot Lotto ticket that went on to fetch the winning $14.3 million payout.

In court documents filed last week, prosecutors said there is evidence to support the theory Tipton used his privileged position inside the lottery association to enter a locked room that housed the random number generating computers and infect them with software that allowed him to control the winning numbers. The room was enclosed in glass, could only be entered by two people at a time, and was monitored by a video camera. To prevent outside attacks, the computers aren't connected to the Internet. Prosecutors said Tipton entered the so-called draw room on November 20, 2010, ostensibly to change the time on the computers. The cameras on that date recorded only one second per minute rather than running continuously like normal.

Read 5 remaining paragraphs | Comments

Deceitful Charity Lottery

Co-Author: Avdhoot Patil

Lottery scams are not new to the world of phishing, so phishers are always seeking new fake lottery strategies. Phishers gained interest in schemes that involved donating to charity using lottery prizes. They utilized the idea in a phishing site which claimed that a popular bank was organizing a lottery for its customers and that a portion of the prize money would be donated to charity. Phishers believed that customers would be duped by the twin advantages: winning prizes and donating to charity. The phishing site was hosted on servers based in Iowa Park, USA.

A link to login was provided on the phishing site urging customers to enter their credentials. The link lead the customers to a phishing page that prompted the customer for their name, ticket number, and email address:
 

Figure 1. Phishing site asking for full name, ticket number and email address
 

After the required information was entered, the phishing site displayed the customer’s lottery ticket details, namely, the ticket number and the winning reference number. The lottery account balance was highlighted as EIGHT HUNDRED THOUSAND POUNDS. A button, labeled transfer, was provided at the bottom of the page to transfer the lottery prize to the customer’s bank account:
 

Figure 2. Phishing site prompting for lottery ticket details
 

After the transfer button was clicked, the phishing site asked for details of the customer’s bank account to which the prize money was to be transferred. The details included the customer’s account name, account number, bank name, and country. Finally, customers were asked to choose the charity organization they wished to donate to. If customers fell victim to the phishing site, phishers would have successfully stolen their confidential information for financial gain.
 

Figure 3. Phishing site asking for bank account details
 

Figure 4. Phishing site asking the customer to choose a charity organization
 

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

Phishers Celebrate Christmas with Fake Lottery Prizes and Gifts

Co-author: Avdhoot Patil

Special occasions like Christmas have been a common ground for phishers to introduce new baits in their phishing sites. Last Christmas was no different and this time they used fake lottery prizes and gifts as baits. The phishing sites were hosted on free webhosting sites.

In the first example, a phishing site spoofing a gaming brand stated they wil reward the user with a Christmas gift. The phishing site exclaimed it hoped users like the gift and wished to encourage them to playing the game. To receive the fake gift, the user is asked to enter their login credentials and also complete a simple form.

The questions asked in the form are the following:

  • Will you be playing this Christmas?
  • If you could help, which way would you help us?
  • What is your age?
  • Please select your gift.

The choice of gifts included credit points, VIP status, club membership, and a selection of badges.

After the credentials are entered and the form completed, the following page acknowledges the submission of user information. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen the information for identity theft purposes.

Phishing campaigns were prevalent in the banking sector as well. A phishing site impersonating a highly reputed bank was observed. The fake site claimed a lottery prize was available for their customers. The type of lottery offered was a Christmas raffle draw and the bogus prize money was in the amount of 2.5 million dollars. Customers were asked to enter their full name, email address and password to be eligible receive the prize money. A note was also provided (shown below) which prompted customers to look for a confirmation email after submitting information. After the user's credentials are entered, the phishing page redirects to the legitimate bank’s website, creating the illusion that a valid verification took place.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.