Google AdWords phishing campaign

September 26, 2011 2 Comments

MX Lab, http://www.mxlab.eu, started to intercept a new phishing campaign with the subject “Account has stopped running” and comes from the spoofed email address “Google Adword <adwords-noreply@google.com>”. This campaign targets AdWords users.

The recipient is informed that his Adwords campaigns stopped running as of this morning Monday, September 26, 2011.

This is the full content:

We stopped running your Google ads this morning (Monday, September 26, 2011).

Dear AdWords Advertiser,

We had encountered a number of issues when reviewing your ads this morning and we stopped running them. We will review them again and make the necessary changes that will allow to run your ads without any problems.

lightbulbClick here to review your ads and let us know if we made a mistake.

We’ll often stop running your ads until we are able to make the necessary updates. As soon as we made and saved the changes, your ads are automatically resubmitted to us for review.

Please note: If you do not verify the status of your Adwords account and notify us if your ads do not appear online we can not help you and your ads will stay offline for the next few days.

2011 Google is a trademark of Google Inc. All other company and product names may be trademarks of the respective companies with which they are associated. 1600 Amphitheatre Parkway Mountain View, CA 94043

The included URL leads to hxxp://www.google-ars.com/accounts/?ServiceLogin?service=adwords and brings the visitor to the following login webpage.

The login page will request the page login.php and redirect the visitor to an official Google AdWords page http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=142731.

Now, when I was looking at the above page it made me wonder if this version of the login page is still up to date. I surfed to the Google Adwords page and got the following

It seems to me that the authors of this campaign didn’t take the effort to check the design and layout of the phishing login page and modify it to the changed design that is online at Google. Never mind, it’s even better for us to see the difference between an real site from Google and an phishing attempt.

Filed under Phishing Tagged with , , ,

Google Talk users subject of phishing scheme

February 26, 2009 1 Comment

After the GMail service interruption, Google now suffers another security risk. Google Talk users are subject of a phishing scheme to get them to give up their user information.

The scam includes to lure tha Google Talk users, Google’s instant messaging system, to the web site ViddyHo with messages containing “Hey check out this video” by clicking on a link via the TinyURL service. The link directs users to the web site of ViddyHo, where users are asked to enter their Gmail usernames and passwords to get access.

The web site ViddyHo is being blocked by TinyURL but it is always possible that other URLs will be used in future phishing emails.

As always, the general recommendation from MX Lab is not to trust any request to fill in your account credentials on a web site. Check the URL, check the HTTPS connection first and try to see if the site is genuine.

Filed under Phishing Tagged with , ,

A solution for the spoofed URLs from Google and DoubleClick

June 3, 2008 Leave a Comment

According to CNet, Google will tackle two serious issues. A cross-site scripting issue on the login page of the communication platform Grand Central but more important, well if you receive this type of spam, is the URL spoofing technique that spammers use.

On this blog I have posted, in May, an article about that also DoublClick URLs are being used in spam like Google. As a result, email users click on the URL that appears to direct you to Google.com but instead redirects you to a potential malicious site or an web site advertised by the spammer like an online pharmacy.

“Open URL redirection is an issue we take very seriously. As we become aware of open URL redirectors on google.com, we actively work to close them. We are also aware of redirectors using doubleclick.com and are working to address this issue,” the Google spokesman said.

This sound great. Now it is time for the spammer to develop a new technique. Fingers crossed.

Filed under Spam Tagged with , , , , ,

Double Click ad links used in URLs

May 22, 2008 2 Comments

“Let’s try something new” said one spammer to the other. “I have enough of these Google PageAd links in our spam. I’m going to integrate Double Click this time.”

And yes, we intercept more URLs these days like http://ad.doubleclick.net/click;h=*******http://***.com/redir.html to avoid potential filters and lure drugs bying surfers to the European Pharmany.

The other spammer used Double Click to distibute some malware:
http://ad.doubleclick.net/click;h=*******http://***.es/video.exe with the promise that you can see a Britney and Paris lesbian video. The malware is known as the Trojan.Downloader.Exchanger.bc.

Oh, well, no video tonight I guess.

Filed under Spam Tagged with , , , , , ,

Security flaw in Gmail can turn server in a spam machine

May 12, 2008 1 Comment

INSERT, the Information Security Research Team, has created a proof of concept that exploits Google’s SMTP service bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.

This vulnerability enables an attacker to bypass blacklist/whitelist based email filters and freely forge all fields in an email message by having Google’s SMTP servers tricked into functioning as open SMTP relays. We were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages)

Filed under Spam, Various Tagged with , , , , ,

Google spam backscatter

April 14, 2008 Leave a Comment

If you have received a “Your mail could not be delivered” bounce notification, a “Your mail contained a virus” notice, or a request to confirm your signup request for a mailing list you’ve never heard of, you’ve probably received backscatter. There is also spam backscatter when spammers use your domain in their activities.

Some time ago, when virus outbreaks where very common, we did had a lot of backscatter from mail servers that intercepted the virus. Mail administrators where so concerned, or may I say stupid, to send out these notifications to the sender, most often to spoofed email addresses.

Today, we have Google backscatter:

 Hello souillet1957@**********.com,

We’re writing to let you know that the group that you tried to contact (designateh) doesn’t exist. There are a few possible reasons why this happened:

* You might have spelled or formatted the group name incorrectly.
* The owner of the group removed this group, so there’s nobody there to contact.

If you have questions about this or any other group, please visit the Google Groups Help Center at http://groups.google.com/support.

Thanks, and we hope you’ll continue to enjoy Google Groups.

The Google Groups Team

Thank you Google.

Filed under Spam, Various Tagged with , , ,

Blogspot used a lot by spammers

March 27, 2008 1 Comment

Last year, the Microsoft Research study showed that Blogspot, the popular Blogger platform from Google, was one of the top doorway domains for spam. 75% where used as “splogs”, so called re-directs to spam sites.During the last few weeks, MX Lab is seeing new blogspot domains every day and the spam where a Blogspot domain is used has increased to new heights. These spam messages advertise pronography, pharmacy and so on. Nothing new under the sun but we als have reports that malware is being distibuted through this channel. So clicking on a Blogspot link can be hazardous to your computer’s health.

From our point of view, it is time that Google reacts and thightens it’s security a lot. It is clear that it’s too easy for spammers to create new Blogspot domains.

Filed under Spam, Various Tagged with , , , ,

Follow

Get every new post delivered to your Inbox.

Join 108 other followers