Google AdWords Phishing

May 1st, 2008 by Loucif Kharouni (Threats Analyst)

I received today a strange e-mail about updating payment information for Google AdWords:

This message says that my payment hasn’t been successful and that I need to update my payment information.

As you can see, the link displayed in the mail body is hxxp://adwords.google.com/select/login which is the legitimate one. But the real accessed Web site is hxxp://www.adwords.google.com.fke21.cn/select/Login which has nothing to do with the real one:

A quick robtex research on google.com.fke21.cn shows the following associated IPs:

79.117.135.78 -> Dr Staicovici Bucharest, ROMANIA

85.178.255.59 -> HANSENET Telekommunikation GmbH Hamburg, Germany

86.105.12.97 -> Dr Staicovici Bucharest, ROMANIA

86.126.214.164 -> Dr Staicovici Bucharest, ROMANIA

89.32.130.125 -> MEGANET AS SC Mega Net Distribution SRL Str Valea Calugareasca Nr 4 Bloc 5 Scara 7 Etaj 3 Ap 85 Bucuresti, Romania

89.33.213.53 -> DIGINET AS SC DIGINET SA STR Calea Nationala Nr 99 Botosani Romania

89.35.25.32 -> LGNET AS S C LG Network S R L Calea Chisnaului 17, ET 4, Camera 402 Iasi, 700173 Romania

89.41.46.63 -> WINDMOB AS SC WINDMOB SERV SRL Aleea Zamora Nr 5 Bl 175 Sc C Ap 46 Ploiesti Prahova SAT BATESTI, COM BRAZI, NR 511 PRAHOVA

89.41.182.152 -> ILINK AS SC COBALT IT SRL Str Emanoil Porumbaru, nr 17A, Camera 2, Sector 1, Bucuresti Romania RO

99.235.126.120 -> ROGERS CABLE AS Rogers Cable Inc 1 Mount Pleasant Road Toronto, Ontario, Canada M4Y 2Y5The German IP is hosting several similar domain names.Here is how the fake Google AdWords Web site looks like:

In this screenshot, you can see that you have to login first using your Google AdWords account, but actually any e-mail address and password will fit since no real checking is done to verify the credentials anyway. The user is also asked to fill out fields such as credit card number and address:

And, of course, after doing so they will tell you that your account is now updated:

This information is then sent to a remote server via an SSL connection.

If you are going to access hxxp://www.adwords.google.com.fke21.cn, it will try to load some malicious encrypted javascript but it seems to have some bugs in the code.

(11 votes, average: 4.18 out of 5)

Loading ...

Trackback

TrackBack URL for this entry:
http://blog.trendmicro.com/google-adwords-phishing/trackback/

Listed below are links to weblogs that reference Google AdWords Phishing:

Seidentity.com - Zoekmach&hellip | Tracked on May 6th, 2008 at 4:11 am

[...] geliefd doelwit van online criminelen. Daags na de waarschuwing van Google ontdekte webbeveiliger Trend Micro een Google Adword phishing [...]
Google AdWords Phishing |&hellip | Tracked on May 8th, 2008 at 9:31 am

[...] Quoted from http://blog.trendmicro.com/google-adwords-phishing/: [...]
Internet Defense Technolo&hellip | Tracked on May 8th, 2008 at 3:25 pm

[...] articles: Trendlabs MX [...]