Esurance Giveaway Brings Out The Worst In Scammers

You’ve Won the Lottery! Hand Over Your Passwords

It’s lottery time, though I fear anybody taking part will be handing over things far more valuable than anything they might receive.

megamillionsclaims(dot)tk claims to be “Mega Millions”, dispensing cash to the lucky masses holding their winning lottery tickets and sounds awfully tempting at first glance.

The site, which is registered anonymously and displays photographs of lottery winners holding oversized novelty cheques, states that they’re the “Megamillions Lottery in collaboration with Facebook promotion”, sending text messages to “winners” and asking for personal information. The website also wants a sizeable amount of personal information as it happens – name, address, zip/post code, DOB, gender, phone number, occupation, income, Facebook Username / Password and the answer to 4 security questions. Oh, they also want your email / password combination too, pushing this firmly into the territory of “Run away”.

Here’s two screenshots of the aforementioned personal information they’re asking for – even without things like address or occupation, you absolutely should not be sending logins for websites and / or email to anybody, ever:

Asking for personal data
More personal data requested

If alarm bells weren’t already going into overdrive, the site uses plain HTTP – no padlocks on display here, so all that personal information is being sent in the clear.

Mega Millions recently put out an alert regarding websites and emails bearing their name, which makes for interesting reading. The general takeaway is much the same as other Lottery themed alert notifications – you’re never going to win a lottery if you haven’t taken part, and if you have bought a ticket for whatever missive ends up in your mailbox, you should still hunt out the official website and get in touch with the people running it. Messages for lotteries which take place overseas should also be viewed with suspicion; calling numbers and sending / receiving money by wire is also a bad idea.

The idea of winning millions in a lucky dip is nice; the idea of handing over revealing personal information, secret questions, logins and more is not quite so appealing. We should probably take our chances elsewhere…

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.