Google Adwords subject to phishing

October 1, 2009 2 Comments

Today, Google Adwords is subject to a phishing campaign. MX Lab intercepted several messages stating that there is an issue with your Google Adwords account.

The message appears to be coming from Adwords@google.com but this address is spoofed. The orgin is from User localhost (127.0.0.1) with the connection IP 128.175.13.92 and listens to the host name copland.udel.edu in the US. Since the messages are coming from one source it is very likely that this computer is part of a botnet

When following the URL hxxp://www.google-bx.com/accounts/signin.html, we do not recommend this, you will be taken to the phishing w eb site that looks very similar to the original Adwords web site.

The diffferences are marked with the red arrow and some explanation. Let’s take a look at the phishing web site.

Let’s take a look at the original web site

When visiting the root of the web site we get a “Fedora Core Test Page” so they are hosting this from the subfolder /accounts/.

When filling in some dummy login and password the form will request the page login.php and we are redirected to the original Google Adwords web site. If we had filled in our real accounts we would be a phishing victim by now.

The domain google-bx.com is registered by MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE with the following details:

Domain Name.......... google-bx.com
  Creation Date........ 2009-10-01
  Registration Date.... 2009-10-01
  Expiry Date.......... 2010-10-01
  Organisation Name.... denis rogers
  Organisation Address. 22th fireball ave
  Organisation Address.
  Organisation Address. new york city
  Organisation Address. 74836
  Organisation Address. NY
  Organisation Address. UNITED STATES

Admin Name........... denis rogers
  Admin Address........ 22th fireball ave
  Admin Address........
  Admin Address........ new york city
  Admin Address........ 74836
  Admin Address........ NY
  Admin Address........ UNITED STATES
  Admin Email.......... little_magic_0001@verizon.net
  Admin Phone.......... +1.8917288100
  Admin Fax............ 

Tech Name............ denis rogers
  Tech Address......... 22th fireball ave
  Tech Address.........
  Tech Address......... new york city
  Tech Address......... 74836
  Tech Address......... NY
  Tech Address......... UNITED STATES
  Tech Email........... little_magic_0001@verizon.net
  Tech Phone........... +1.8917288100
  Tech Fax.............
  Name Server.......... rns1.google-bx.com
  Name Server.......... rns2.google-bx.com

The malicious site is hosted on 201.11.70.175. According to an IP WHOIS this IP is from Brasil Telecom.

Filed under Phishing Tagged with , , ,

2 Responses to Google Adwords subject to phishing

  1. Sandeep says:
    October 1, 2009 at 12:35 pm

    phishing must be avoided. Google must try to eliminate phishing in adwords.

    Reply
  2. Ap.Muthu says:
    July 20, 2010 at 5:26 am

    Since last two weeks (July 2010), any Google search lists some random links that point to URLs on the following domains:

    adwords.myonlinesecure.com
    infomoneyservice.com

    A sample URL is:

    http://adwords.myonlinesecure.com/r.php?r=MWNhMzMyMjkxNTBjYTQ4MWUwOGMyYmFiNGU5ZDI5MjJ8bWljcm9zb2Z0LmNvbS98MGU0YmQwMDkyZDYwNTQ1YTM4YTQ5Njg3MjlmMzcyNDh8MC4wMDA2&rhcpre=aHR0cDovL3BlYXJsZmlzaGVyeS5jb20vc2VhcmNoLnBocD9xPWdvb2dsZSthZHdvcmRzK3ZpcnVz

    The base64_decode of the parameter “r” in the aove URL is:
    1ca33229150ca481e08c2bab4e9d2922|microsoft.com/|0e4bd0092d60545a38a4968729f37248|0.0006

    The base64_decode of the parameter “rhcpre” in the aove URL is:
    http://pearlfishery.com/search.php?q=google+adwords+virus

    Incidentally, the Google search words used were “google adwords virus”.

    Running CC Cleaner was of no use as was removing and reinstalling the google search bar.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 109 other followers