Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Phishing for Google adwords InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing for Google adwords

Published: 2008-11-11
Last Updated: 2008-11-11 21:15:09 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Today, (Tue Nov 11 17:27:xx in GMT+1) I received:

From: Google AdWords <setup@google.com>                                       
To: xxx@xxx.xxx
Subject: Google AdWords Alert 
Date: Wed, 12 Nov 2008 02:27:xx +1000 
 
Hello, 
 
Our attempt to charge your credit card on Wed, 12 Nov 2008 02:27:xx +1000
for your outstanding Google AdWords account balance was declined. 
Your account is still open. However, your ads have been suspended. Once 
we are able to charge your card and receive payment for your account 
balance, we will re-activate your ads. 
 
Please update your billing information, even if you plan to use the 
same credit card. This will trigger our billing system to try charging 
your card again. You do not need to contact us to reactivate your 
account. 
 
To update your primary payment information, please follow these steps: 
 
1. Log in to your AdWords account at: http://adwords .google .com 
.session- xxxxxxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxxxxxx .com68 .ru 
3. Click 'Billing Preferences' link. 
4. Click Edit next to the appropriate 'Payment Details' section. 
5. Enter your new or updated payment information. 
6. Click 'Save Changes' when you have finished. 
 
In the future, you may wish to use a backup credit card in order to 
help ensure continuous delivery of your ads. You can add a backup 
credit card by visiting your Billing Preferences page. 
------------------------------------------------------------------ 
This message was sent from a notification-only email address that does 
not accept incoming email. Please do not reply to this message. If you 
have any questions, please visit the Google AdWords Help Centre at 
https://adwords.google.com/support/?hl=en_GB to find answers to 
frequently asked questions and a 'contact us' link near the bottom of   
the page.
---------------------------------------------------------------- 
 
Thank you for advertising with Google AdWords. 
We look forward to providing you with the most effective advertising available. 
 
Sincerely,

The Google AdWords Team 

The x-ed out stuff was spot-on, the spaces are added to the URL to prevent any reader from clicking on this. It was sent to an email address I actually have used in association with Google adwords, (although it's not that well targeted, I got other copies of it on addresses I use in conjunction with managing websites but not linked to adwords.)

Notice the lack of obvious errors aside of a date that's in the future (their timezone calculation might be off) and the concealed URL that does not point to google.com, but to .com68.ru

Now, when explaining to your users how to detect phishing from real warnings, do you think your users have a reasonable chance of noticing this before the credit card gets abused?

Tracing it back:

  • com68.ru has a private registration. Sure, what's new.
  • The email originated in 77.34.0.0/15 (used by an ISP based in Vladivostok).
  • The actual DNS name didn't resolve at the time of this writing.

--
Swa Frantzen -- Section 66

0 comment(s)
Diary Archives