'Google Adwords under Phishing Attack'

Google Adwords under Phishing Attack

By Wilbur Corncob at 03/28/08 06:48

I started getting a whole slew of messages from "google" about my "adwords account". There was a couple problems with the messages right off the bat. I haven't been using adwords for quite sometime, so there is no worry about having not paid them. Second, the emails were arriving on many different email addresses of mine, none of which were ever connecte to my adwords account.

Most importantly, my email program shows the domains of all websites references within an email BEFORE I open the message:

---

google.com w3.org ad039k.cn Thu Mar 27 17:35:17 2008
From: adwords-noreply@google.com
Subject: Please Re-activate your account

---

It seemed odd that Google would send an email with an off the wall domain registered in China. The each different email had a different chinese domain in it. Just from that information I knew the message was a phishing attempt.

An examination of the message also clearly showed the attempt. I view all emails as plain text, not html. This keeps things looking "ugly", but saves you some making a stupid mistake. Let's look at the text of these messgaes. I've changed the html tags to use ['s here for clarity. I've added some bold face to the message here.

The message was sent in text format, followed by html. In my email program I view it all as text, and see the HTML codes.

In the text version at the top, a url is given to login to adwords: http://adwords.google.com/select/login . If you cut and pasted that url, you'd actually arrive at the Google, adwords login prompt.

In the html version, which most email programs would render as HTML, is you wouldn't see the tags, but the links... there are "two links":

http://adwords.google.com.ad039k.cn/select/Login/ which is actually in the HTML href tag and the website you would get if you clicked the link, and http://adwords.google.com/select/login which would show as the underlined link text.

On first glance, in an HTML based email program you would think clicking the link would take you to Google's website site. That's the idea and the trick. Instead you end up on ad039k.cn, which seems to have IP addresses in many different countries.

You can be sure whatever is done on THAT website, which I suspect is visually the same as Google's adword site, will result in your adwords login information being stolen as well any payment information you enter.

---

This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. --------------------------------------------------------------------------------

Dear Google AdWords Customer,

Please sign in to your account at http://adwords.google.com/select/login , and update your billing information. Your account will be reactivated as soon as you update your payment information. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If you choose bank transfer, your ads will show as soon as we receive your first payment.

We look forward to providing you with the most effective advertising available.

Sincerely,

---------------------------------------------------------------------------------- The Google AdWords Team

------=_NextPart_000_0006_01C89041.DAE87300 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

[html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40"]

[head] [META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"]

[meta name=ProgId content=Word.Document] [meta name=Generator content="Microsoft Word 10"] [meta name=Originator content="Microsoft Word 10"] [link rel=File-List href="cid:filelist.xml@{nHEX}.{nHEX}"] [link rel=Edit-Time-Data href="cid:editdata.mso@{nHEX}.{nHEX}"] [/head] [body] This message was sent from a notification-only email address that does[br] not accept incoming email. Please do not reply to this message.[br] --------------------------------------------------------------------------------[br][br]

Dear Google AdWords Customer,[br][br]

Please sign in to your account at [a href="http://adwords.google.com.ad039k.cn/select/Login/" target="_blank"]http://adwords.google.com/select/login[/a] , and update your billing information.[br] Your account will be reactivated as soon as you update your payment information.[br] Your ads will show immediately if you decide to pay for clicks via credit [br] or debit card. If you decide to pay by direct debit, we may need to receive[br] your signed debit authorization before your ads start running, [br] depending on your location.[br] If you choose bank transfer, your ads will show as soon as we receive your[br] first payment. [br][br][br]

We look forward to providing you with the most effective advertising available.[br][br]

Sincerely,[br][br][br]

----------------------------------------------------------------------------------[br][br] The Google AdWords Team [/body] [/html]

------=_NextPart_000_0006_01C89041.DAE87300--

How do I stop this bogus e-mail?

To: csicustomerservice@cannonsports.com

Subject: CSI Customer service

From: "Google@gmail.com"

CSI Customer service

Customer Account #:

Customer Invoice #: Date Requested: 2008-05-31

Customer P.O. #

Customer P.O. Date:

Bill To Name Google

Street

City

State CT Zip

Ship To Name Google

Street 2025 Graystone Lakes

City Moskow

State OR Zip GA 31009

Requested by: Google

Telephone #

email #: Google@gmail.com

If you do not wish to receive similar messages please inform us on it by mail ban.site[dog]gmail.com

I am impressed by your blog and I'l love your blog.

Name:     (required)
Email:    (required, not published)
Comment: