?

Log in

No account? Create an account

Phishing in Googleland

« previous entry | next entry »
Apr. 7th, 2008 | 07:08 am

I haven't seen this version of a phishing scam until this morning's email arrived. 

Crooks are now sending email claiming to be Google.  They're telling me that my pay-per-click ads are offline and that I need to put more credit card money into my business' Google AdWords account. 

This looks like a real Google AdWords notification, except instead of going to the URL that displays in the email, the hyperlink actually takes you to a site in mainland China (see the ".cn" at the end):  http://adwords.google.vaultpacket.cn/select/Login . 

(The real Google is at https://adwords.google.com/select/Login .)

I haven't clicked, but I suspect the site mimics the real Google site. It will ask for your credit card information to reactivate your account.  Once you type in your numbers, kiss that card good-bye!

It's a good fake and it's new to me.  Most of all I'm impressed that the crooks think that Google AdWords is used enough for their scam to attract enough suckers to warrant their time and energy. After all, it takes work to set up a phony site!

This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.

----------------------------------------------------------------------------------

Dear AdWords Customer,

Your ads have stopped running because we were unable to process your billing information.
To activate your account and start running your ads, enter your billing information.

In order to activate your account and start running your ads, enter your billing information.
Pease sign into your account at
http://adwords.google.com/select/login, and update
your billing information.

Once your account is reactivated and your billing information has been processed,
any your ads and campaigns can begin running immediately on Google.

----------------------------------------------------------------------------------

The Google-AdWords Team

Tags:

Link | Leave a comment |

Comments {2}

fyellin

(no subject)

from: fyellin
date: Apr. 7th, 2008 08:56 pm (UTC)
Link

I have reported this to Google.

Reply | Thread

Galen of the Ozdachs Pack

(no subject)

from: ozdachs
date: Apr. 9th, 2008 02:28 pm (UTC)
Link

Thanks. Do you have an email address at Google to send reports to? This morning's phishing wanted me to click to
http://adwords.google.outtrust.cn/select/Login 
(disguised as http://adwords.google.com/select/login ).

The header info with hotmail address, if it helps:
...
Delivered-To: virtual-ozdachs_com-galen@ozdachs.com
Received: (qmail 15109 invoked from network); 9 Apr 2008 13:40:33 -0000
Received: from unknown (HELO [195.206.164.56]) (195.206.164.56)
by ns4.webmasters.com with SMTP; Wed, 09 Apr 2008 09:40:33 -0400
Received: from [195.206.164.56] by mx4.hotmail.com; Wed, 9 Apr 2008 13:41:04 +0000
Message-ID: <32724947.1207748595687.JavaMail.root@m04>
From: adwords-noreply@google.com
To: <galen@ozdachs.com>
Subject: Please submit your payment information
Date: Wed, 9 Apr 2008 13:41:04 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C89A47.5AFDD800"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
X-SA-Poll-Id: 1207748595645..1207748436.15139.ns4.webmasters.com..1..1207748464000
X-SA-USERIDNR: 1010303
Received-SPF: unknown(google.com: domain uses a mechanism not recognized by this client)
...





Received: from unknown (HELO [195.206.164.56]) (195.206.164.56)
by ns4.webmasters.com with SMTP; Wed, 09 Apr 2008 09:40:33 -0400
Received: from [195.206.164.56] by mx4.hotmail.com; Wed, 9 Apr 2008 13:41:04 +0000
Message-ID: <32724947.1207748595687.JavaMail.root@m04>
From: adwords-noreply@google.com


Edited at 2008-04-09 02:29 pm (UTC)

Reply | Parent | Thread