MX Lab, http://www.mxlab.eu, started to intercept a new phishing campaign with the subject “Account has stopped running” and comes from the spoofed email address “Google Adword <firstname.lastname@example.org>”. This campaign targets AdWords users.
The recipient is informed that his Adwords campaigns stopped running as of this morning Monday, September 26, 2011.
This is the full content:
We stopped running your Google ads this morning (Monday, September 26, 2011).
Dear AdWords Advertiser,
We had encountered a number of issues when reviewing your ads this morning and we stopped running them. We will review them again and make the necessary changes that will allow to run your ads without any problems.
lightbulbClick here to review your ads and let us know if we made a mistake.
We’ll often stop running your ads until we are able to make the necessary updates. As soon as we made and saved the changes, your ads are automatically resubmitted to us for review.
Please note: If you do not verify the status of your Adwords account and notify us if your ads do not appear online we can not help you and your ads will stay offline for the next few days.
2011 Google is a trademark of Google Inc. All other company and product names may be trademarks of the respective companies with which they are associated. 1600 Amphitheatre Parkway Mountain View, CA 94043
The included URL leads to hxxp://www.google-ars.com/accounts/?ServiceLogin?service=adwords and brings the visitor to the following login webpage.
The login page will request the page login.php and redirect the visitor to an official Google AdWords page http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=142731.
Now, when I was looking at the above page it made me wonder if this version of the login page is still up to date. I surfed to the Google Adwords page and got the following
It seems to me that the authors of this campaign didn’t take the effort to check the design and layout of the phishing login page and modify it to the changed design that is online at Google. Never mind, it’s even better for us to see the difference between an real site from Google and an phishing attempt.