May1
10:05 am (UTC-7)   |   by Loucif Kharouni (Threats Analyst)

I received today a strange e-mail about updating payment information for Google AdWords:

This message says that my payment hasn’t been successful and that I need to update my payment information.

As you can see, the link displayed in the mail body is hxxp://adwords.google.com/select/login which is the legitimate one. But the real accessed Web site is hxxp://www.adwords.google.com.fke21.cn/select/Login which has nothing to do with the real one:

A quick robtex research on google.com.fke21.cn shows the following associated IPs:

  • 79.117.135.78 -> Dr Staicovici Bucharest, ROMANIA
  • 85.178.255.59 -> HANSENET Telekommunikation GmbH Hamburg, Germany
  • 86.105.12.97 -> Dr Staicovici Bucharest, ROMANIA
  • 86.126.214.164 -> Dr Staicovici Bucharest, ROMANIA
  • 89.32.130.125 -> MEGANET AS SC Mega Net Distribution SRL Str Valea Calugareasca Nr 4 Bloc 5 Scara 7 Etaj 3 Ap 85 Bucuresti, Romania
  • 89.33.213.53 -> DIGINET AS SC DIGINET SA STR Calea Nationala Nr 99 Botosani Romania
  • 89.35.25.32 -> LGNET AS S C LG Network S R L Calea Chisnaului 17, ET 4, Camera 402 Iasi, 700173 Romania
  • 89.41.46.63 -> WINDMOB AS SC WINDMOB SERV SRL Aleea Zamora Nr 5 Bl 175 Sc C Ap 46 Ploiesti Prahova SAT BATESTI, COM BRAZI, NR 511 PRAHOVA
  • 89.41.182.152 -> ILINK AS SC COBALT IT SRL Str Emanoil Porumbaru, nr 17A, Camera 2, Sector 1, Bucuresti Romania RO
  • 99.235.126.120 -> ROGERS CABLE AS Rogers Cable Inc 1 Mount Pleasant Road Toronto, Ontario, Canada M4Y 2Y5The German IP is hosting several similar domain names.Here is how the fake Google AdWords Web site looks like:

    • In this screenshot, you can see that you have to login first using your Google AdWords account, but actually any e-mail address and password will fit since no real checking is done to verify the credentials anyway. The user is also asked to fill out fields such as credit card number and address:

  • And, of course, after doing so they will tell you that your account is now updated:

    This information is then sent to a remote server via an SSL connection.

    If you are going to access hxxp://www.adwords.google.com.fke21.cn, it will try to load some malicious encrypted javascript but it seems to have some bugs in the code.

    • If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



    This entry was posted on Thursday, May 1st, 2008 at 10:05 am and is filed under Security . Responses are closed, but you can trackback from your own site.



    4 Responses to “Google AdWords Phishing”

    1. Seidentity.com - Zoekmachine marketing » Google waarschuwt tegen phishing en geeft tips Says:
      May 6th, 2008 at 4:11 am

      [...] geliefd doelwit van online criminelen. Daags na de waarschuwing van Google ontdekte webbeveiliger Trend Micro een Google Adword phishing [...]

    2. Google AdWords Phishing | TrendLabs | Malware Blog - by Trend Micro | BCSolutions.ca Says:
      May 8th, 2008 at 9:31 am

      [...] Quoted from http://blog.trendmicro.com/google-adwords-phishing/: [...]

    3. Internet Defense Technology » Google AdWords Phishing Says:
      May 8th, 2008 at 3:25 pm

      [...] articles: Trendlabs MX [...]

    4. AdWords Phishing Alert | Merjis Internet Marketing Blog Says:
      June 7th, 2008 at 2:37 pm

      [...] Is it a malware download? Doesn’t look like it. See this Trend Micro report on an earlier faked AdWords attack. [...]


    A Treasury Trove of Phish
    ‘Hacktivism’ Incidents Escalate, Become More Frequent


     
    TrendWatch Hijack This Web Protection Add-On
    Free Online Virus Scan Rootkit Buster Submit Suspicious Files
    Global Malware Map RUBotted? Trend Micro
     

    		 
    © Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice