I received today a strange e-mail about updating payment information for Google AdWords:
This message says that my payment hasn’t been successful and that I need to update my payment information.
As you can see, the link displayed in the mail body is hxxp://adwords.google.com/select/login which is the legitimate one. But the real accessed Web site is hxxp://www.adwords.google.com.fke21.cn/select/Login which has nothing to do with the real one:
A quick robtex research on google.com.fke21.cn shows the following associated IPs:
In this screenshot, you can see that you have to login first using your Google AdWords account, but actually any e-mail address and password will fit since no real checking is done to verify the credentials anyway. The user is also asked to fill out fields such as credit card number and address:
This information is then sent to a remote server via an SSL connection.