Google AdWords Phishing
May 1st, 2008 by Loucif Kharouni (Threats Analyst)
I received today a strange e-mail about updating payment information for Google AdWords:

This message says that my payment hasn’t been successful and that I need to update my payment information.
As you can see, the link displayed in the mail body is hxxp://adwords.google.com/select/login which is the legitimate one. But the real accessed Web site is hxxp://www.adwords.google.com.fke21.cn/select/Login which has nothing to do with the real one:

A quick robtex research on google.com.fke21.cn shows the following associated IPs:

In this screenshot, you can see that you have to login first using your Google AdWords account, but actually any e-mail address and password will fit since no real checking is done to verify the credentials anyway. The user is also asked to fill out fields such as credit card number and address:

This information is then sent to a remote server via an SSL connection.
If you are going to access hxxp://www.adwords.google.com.fke21.cn, it will try to load some malicious encrypted javascript but it seems to have some bugs in the code.

(11 votes, average: 4.18 out of 5)
Trackback
TrackBack URL for this entry:http://blog.trendmicro.com/google-adwords-phishing/trackback/
Listed below are links to weblogs that reference Google AdWords Phishing:
Seidentity.com - Zoekmach&hellip | Tracked on May 6th, 2008 at 4:11 am
[...] geliefd doelwit van online criminelen. Daags na de waarschuwing van Google ontdekte webbeveiliger Trend Micro een Google Adword phishing [...]
Google AdWords Phishing |&hellip | Tracked on May 8th, 2008 at 9:31 am
[...] Quoted from http://blog.trendmicro.com/google-adwords-phishing/: [...]
Internet Defense Technolo&hellip | Tracked on May 8th, 2008 at 3:25 pm
[...] articles: Trendlabs MX [...]