Google Adwords subject to phishing
October 1, 2009 2 Comments
Today, Google Adwords is subject to a phishing campaign. MX Lab intercepted several messages stating that there is an issue with your Google Adwords account.
The message appears to be coming from Adwords@google.com but this address is spoofed. The orgin is from User localhost (127.0.0.1) with the connection IP 128.175.13.92 and listens to the host name copland.udel.edu in the US. Since the messages are coming from one source it is very likely that this computer is part of a botnet
When following the URL hxxp://www.google-bx.com/accounts/signin.html, we do not recommend this, you will be taken to the phishing w eb site that looks very similar to the original Adwords web site.
The diffferences are marked with the red arrow and some explanation. Let’s take a look at the phishing web site.
Let’s take a look at the original web site
When visiting the root of the web site we get a “Fedora Core Test Page” so they are hosting this from the subfolder /accounts/.
When filling in some dummy login and password the form will request the page login.php and we are redirected to the original Google Adwords web site. If we had filled in our real accounts we would be a phishing victim by now.
The domain google-bx.com is registered by MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE with the following details:
The malicious site is hosted on 201.11.70.175. According to an IP WHOIS this IP is from Brasil Telecom.
