[Phish] Google adwords phish "please udpate your billing info" in Spam, Scam and Phishbusters

Google adwords phish "renew your account Now!"

Sun, 27 Apr 2008 23:48:41 EDT

EGeezer : I found one of these in my spambox too - I don't have a Google acocunt of any kind, looks like they're looking for ways to sneak malware into Google Ads.

Phish site link (link in code is also broken)

ht tp://w w w .dosiapt.com/zboard/data/6/1166064213/

Return-Path: <setup@google.com>Received: from hrndva-mxlb.mail.rr.com ([10.128.255.11])          by hrndva-imta07.mail.rr.com with ESMTP          id <20080421184556.SDDO27158.hrndva-imta07.mail.rr.com@hrndva-mxlb.mail.rr.com>          for <pbohn@columbus.rr.com>; Mon, 21 Apr 2008 18:45:56 +0000Message-Id: <6aktlg$eciij2@hrndva-mxlb.mail.rr.com>X-IronPort: hrndva-mx08.mail.rr.com 482953826X-RR-Connecting-IP: 208.112.78.206Received: from mail.jersey-joe.com ([208.112.78.206])  by hrndva-mxlb.mail.rr.com with ESMTP; 21 Apr 2008 18:45:56 +0000Received: from server217-174-252-105.live-servers.net [217.174.252.105] by mail.jersey-joe.com with SMTP;   Mon, 21 Apr 2008 14:43:33 -0400From: "setup@google.com"<setup@google.com>Subject: Google AdWords Alert !Date: Mon, 21 Apr 2008 19:43:34 +0100MIME-Version: 1.0Content-Type: text/html;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><META http-equiv=Content-Type content="text/html; charset=windows-1252"><META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD><BODY><P><A href="/select/home"></A></P><P><FONT face=Arial size=2><FONT size=5>Renew Your Account Now !</FONT></FONT></P><P style="MARGIN: 0px"><FONT face=Arial size=2>Dear Member, <BR><BR>This is your official notification from Google Inc. that the service(s) listed below will be deactivated and deleted if not renewed immediately. <BR><BR>As the Primary Contact, you must renew the service(s) listed below or it will be deactivated and deleted. <BR><BR></FONT><A href="ht tp://w w w .dosiapt.com/zboard/data/6/1166064213/?dat$$$342-==%&head=b&box=@gfdtert=alerts!!@%%%" target=_blank>Renew Now your Google AdWords services.</A><BR><BR><FONT face=Arial size=2>SERVICE: Google AdWords<BR>EXPIRATION: April, 25 2008 <BR><BR>Thank you for using Google Inc service. <BR>We appreciate your business and the opportunity to serve you. <BR><BR>Google AdWords Service .</FONT></P> <P style="MARGIN: 0px"><FONT face=Arial size=2></FONT> </P></TD><TD style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; PADDING-TOP: 10px"><DIV></DIV></TD></TR></TBODY></TABLE><TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>  <TBODY>  <TR>    <TD vAlign=top>      <TABLE cellSpacing=0 cellPadding=3 width="100%" border=0>        <TBODY>        <TR>          <TD           style="BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; BORDER-BOTTOM: #cccccc 1px solid"           bgColor=#dbe6de><STRONG>Note : Your Google AdWords Password is NOT             your Google Email   password!</STRONG></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE> <DIV id=footer>�2008 Google</DIV><BR><DIV></DIV><CENTER></CENTER></BODY></HTML>

--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: [Phish] Google adwords phish "please udpate your billing inf

Sun, 13 Apr 2008 18:59:00 EDT

anon : Gotta point out one other thing about this that is a little scarier than your average phishing scheme. It follows the logical procession of what it claims to be. In order, and on a reasonable time frame.

I unfortunately did not keep most of these, but I received the first I think sometime in late February. Received a couple more in March and earlier April. And now I just received one yesterday (as I scrolled through my spam box) that claimed "Your adwords account has now been 'stoped'." (Thank god for illiterate phisphers!)

But the fact that it well mimics the general progress of a real account shut down indicates a somewhat higher level of intelligence here. And - that scares me. LOL

Just thought I'd share my observation, and thanks for allowing a body to post without creating yet another account =)

V--Z

PS - I tried telling google, too, and also got the standard scripted response. Thank god for form letter writers, too, keeping otherwise perfectly good telemarketers from calling me! ;)

Re: [Phish] Google adwords phish "please udpate your billing inf

Tue, 08 Apr 2008 08:20:48 EDT

Dennis : lord...why did I even try. All they did was send me a explanation of what "spoofing" is.

Good to see that Google has joined the ranks of the large company that hires people dumb enough to not understand the emails they get.

On second thought...it was probably just a small perl script that responded to me.

--
My Blog. Because I desperately need the acknowledgement of others.

Meet my son, Connor.

Re: [Phish] Google adwords phish "please udpate your billing inf

Mon, 07 Apr 2008 12:33:51 EDT

Dennis :
You know the frequency of these is what scares me the most...

--
My Blog. Because I desperately need the acknowledgement of others.

Meet my son, Connor.

Re: [Phish] Google adwords phish "please udpate your billing inf

Mon, 07 Apr 2008 12:06:18 EDT

Dennis : and again:

No response from google about this at all yet...

Re: [Phish] Google adwords phish "please udpate your billing inf

Mon, 07 Apr 2008 09:45:30 EDT

Dennis : two more this morning...

It just occurred to me now that this is way too focused of an attack to be random or luck. Plus I'm getting them to two very specific email addresses...so after a little digging I've found only one place that they could have been pulled from.

Google Analytics
»https://www.google.com/analytics

It's the only place that both email addresses were in (I get daily reports on different sub domains, one to each) so I have to assume at this point that somebody gained access to the list of emails and assumed that a majority of people using Google Analytics were also using Google Adwords (not to be confused with Adsense).

Now the only question is...does google know???

--
My Blog. Because I desperately need the acknowledgement of others.

Meet my son, Connor.

Re: [Phish] Google adwords phish "please udpate your billing inf

Wed, 02 Apr 2008 18:51:25 EDT

Dennis : oh man here we go again

Re: [Phish] Google adwords phish "please udpate your billing inf

Sun, 23 Mar 2008 03:20:58 EDT

SnowyOne :

said by MGD :

For reference, in case it disappears, here is the source code for the entire phish page. For some reason it causes an immediate GPF on my web brwowser. I am not sure why.

Uhm, excuse me, but that's why you're supposed to put crap like this on other peoples servers. :)

Re: [Phish] Google adwords phish "please udpate your billing inf

Sun, 23 Mar 2008 02:48:39 EDT

MGD : LOL !!

....
..
For reference, in case it disappears, here is the source code for the entire phish page. For some reason it causes an immediate GPF on my web brwowser. I am not sure why.

03/22/08 17:58:17 Browsing http://adwords.google.com.r4oik.cn/select/Login/ Fetching http://adwords.google.com.r4oik.cn/select/Login/  ...GET /select/Login/  HTTP/1.1 Host: adwords.google.com.r4oik.cn Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 200 OK Date: Sat, 22 Mar 2008 21:00:48 GMT Server: Apache Last-Modified: Sat, 22 Mar 2008 19:16:30 GMT ETag: "575748-55be-70a25f80" Accept-Ranges: bytes Content-Length: 21950 Connection: close Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Google AdWords: Sign In</TITLE> <META http-equiv=Content-Type content="text/html; charset=utf-8"><LINK  href="index_files/3355601226-AdsLater.css" type=text/css rel=stylesheet> <META content="MSHTML 6.00.6000.16587" name=GENERATOR> <style type="text/css">  </style> </HEAD> <BODY dir=ltr>   <FORM id=wzMainForm name=wzMainForm              action=submit.php             method=post> <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>   <TBODY>   <TR>     <TD vAlign=top height=1>       <TABLE cellSpacing=0 cellPadding=5 width="100%" border=0>         <TBODY>         <TR vAlign=center>           <TD width="1%"><A href="https://adwords.google.com/select/home"></A></TD>           <TD>             <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>               <TBODY>               <TR vAlign=top>                 <TD noWrap>                   <H4 style="MARGIN-TOP: 8px"><FONT color=#666666 size=-1>It's                    All About Results</FONT></H4></TD>                 <TD vAlign=center noWrap align=right height=30>                    <SCRIPT src="index_files/3968017901-popUpLink_js_compiled.js"                    type=text/javascript></SCRIPT>                    <A                    onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"                    href="https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US"                    target=google_popup>Help</A> |<A                    onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"                    href="https://adwords.google.com/select/contactus/ContactUs?hl=en_US&ctx=foot"                    target=google_popup>Contact Us</A></TD></TR>               <TR>                 <TD bgColor=#3f7c5f colSpan=2 height=1></TD></TR>               <TR>                 <TD vAlign=top align=right colSpan=2>                   <TABLE class=map2 cellSpacing=0 cellPadding=0 border=0>                     <TBODY>                     <TR></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><BR></TD></TR>   <TR>     <TD vAlign=top>       <TABLE id=wzMainBody cellSpacing=0 cellPadding=0 width="100%" border=0>         <TBODY>         <TR>           <TD>             <FORM id=wzMainForm name=wzMainForm              action=submit.php             method=post>             <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>               <TBODY>               <TR>                 <TD vAlign=top>                   <TABLE class=edit_section width="100%" border=0>                     <TBODY>                     <TR>                       <TD class=header><B>Sign-in</B></TD></TR>                     <TR>                       <TD class=indentedContent><BR>                         <TABLE cellSpacing=2 cellPadding=1>                           <TBODY>                           <TR>                             <TD vAlign=top></TD>                             <TD colSpan=2><table id="t" align="center" border="0" cellpadding="1" cellspacing="0">                                                              <tbody>                                 <tr>                                   <td colspan="2" align="center"><font size="-1">Sign in to  Google AdWords  with your</font>                                                                              <table>                                         <tbody>                                           <tr>                                             <td valign="top"></td>                                             <td valign="middle"><font size="-0"><b>Account</b></font></td>                                           </tr>                                         </tbody>                                       </table></td>                                 </tr>                                 <script type="text/javascript">     function onPreCreateAccount() {            return true;          }     function onPreLogin() {                   if (window["onlogin"] != null) {         return onlogin();       } else {         return true;       }          }                             </script>                                 <tr>                                   <td colspan="2" align="center"><div class="errorbox-good"></div></td>                                 </tr>                                 <tr>                                   <td nowrap="nowrap"><div align="right"><span>Email:</span></div></td>                                   <td><input name="continue" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden">                                       <input name="followup" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden">                                       <input name="service" value="adwords" type="hidden">                                       <input name="nui" value="15" type="hidden">                                       <input name="fpui" value="1" type="hidden">                                       <input name="ifr" value="true" type="hidden">                                       <input name="skipvpage" value="true" type="hidden">                                       <input name="rm" value="hide" type="hidden">                                       <input name="ltmpl" value="login" type="hidden">                                       <input name="hl" value="en-US" type="hidden">                                       <input name="alwf" value="true" type="hidden">                                       <input name="GA3T" value="JSszExtkIFc" type="hidden">                                       <input name="GALX" value="RMI6xOsmqgc" type="hidden">                                       <input style="width: 116px;" name="Email" value="" id="Email"  size="18" type="text"></td>                                 </tr>                                 <tr>                                   <td></td>                                   <td align="left"></td>                                 </tr>                                 <tr>                                   <td align="right"><span>Password:</span></td>                                   <td><input style="width: 116px;" name="Passwd" id="Passwd"  size="18" type="password"></td>                                 </tr>                                 <tr>                                   <td></td>                                   <td align="left"></td>                                 </tr>                                                                  <tr>                                   <td></td>                                   <td align="left"><input value="Sign in"  type="submit"></td>                                 </tr>                                 <tr id="ga-fprow">                                   <td colspan="2" class="gaia le fpwd" align="center" height="17" nowrap="nowrap" valign="bottom"><a href="http://www.google.com/support/accounts/bin/answer.py?answer=48598&hl=en&fpUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfpOnly%3D1%26continue%3Dhttps%253A%252F%252Fadwords.google.com%252Fselect%252Fgaiaauth%253Fapt%253DNone%26followup%3Dhttps%253A%252F%252Fadwords.google.com%252Fselect%252Fgaiaauth%253Fapt%253DNone%26service%3Dadwords%26hl%3Den-US%26fpui%3D1" target="_top">I cannot access my account</a></td>                                 </tr>                                 <script type="text/javascript">             stylizeLogoWhite();                             </script>                               </tbody>                             </table>                             <BR>                           <BR></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>                   <SCRIPT language=JavaScript type=text/javascript>     var google_conversion_id = 1172432;     var google_conversion_language = "en_US";     var google_conversion_format = "1";     var google_conversion_color = "FFFFFF";     if (1.0) {     var google_conversion_value = 1.0;     }     var google_conversion_label = "Default";   </SCRIPT>                   <SCRIPT language=JavaScript src="index_files/conversion.js"                    type=text/javascript></SCRIPT>                   <NOSCRIPT></NOSCRIPT>                   <SCRIPT language=JavaScript type=text/javascript>     var google_conversion_id = 1070714708;     var google_conversion_language = "en_US";     var google_conversion_format = "1";     var google_conversion_color = "FFFFFF";     if (1.0) {     var google_conversion_value = 1.0;     }     var google_conversion_label = "Default";   </SCRIPT>                   <SCRIPT language=JavaScript src="index_files/conversion.js"                    type=text/javascript></SCRIPT>                    <NOSCRIPT></NOSCRIPT>                   <SCRIPT language=JavaScript type=text/javascript>     var google_conversion_id = 1070564663;     var google_conversion_language = "en_US";     var google_conversion_format = "1";     var google_conversion_color = "FFFFFF";     if (1.0) {     var google_conversion_value = 1.0;     }     var google_conversion_label = "Default";   </SCRIPT>                   <SCRIPT language=JavaScript src="index_files/conversion.js"                    type=text/javascript></SCRIPT>                    <NOSCRIPT></NOSCRIPT>                   <SCRIPT language=JavaScript type=text/javascript>     var google_conversion_id = 1070714678;     var google_conversion_language = "en_US";     var google_conversion_format = "1";     var google_conversion_color = "FFFFFF";     if (1.0) {     var google_conversion_value = 1.0;     }     var google_conversion_label = "Default";   </SCRIPT>                   <SCRIPT language=JavaScript src="index_files/conversion.js"                    type=text/javascript></SCRIPT>                    <NOSCRIPT></NOSCRIPT>                   <SCRIPT language=JavaScript type=text/javascript>     var google_conversion_id = 1071482227;     var google_conversion_language = "en_US";     var google_conversion_format = "1";     var google_conversion_color = "FFFFFF";     if (1.0) {     var google_conversion_value = 1.0;     }     var google_conversion_label = "Lead";   </SCRIPT>                   <SCRIPT language=JavaScript src="index_files/conversion.js"                    type=text/javascript></SCRIPT>                    <NOSCRIPT></NOSCRIPT>                   <SCRIPT language=Ja aScript type=text/javascript>     var google_conversion_id = 1069796387;     var google_conversion_language = "en_US";     var google_conversion_format = "1";     var google_conversion_color = "FFFFFF";     if (1.0) {     var google_conversion_value = 1.0;     }     var google_conversion_label = "Default";   </SCRIPT>                   <SCRIPT language=JavaScript src="index_files/conversion.js"                    type=text/javascript></SCRIPT>                    <NOSCRIPT></NOSCRIPT></TD>                 <TD id=wzQuestionSeparator                  style="BACKGROUND-IMAGE: url(/select/images/dot2.gif)"                  vAlign=bottom width="1%" height=300> </TD></TR></TBODY></TABLE></FORM></TD>           <TD id=wzQuestionSpacer width="1%"></TD>           <TD style="PADDING-RIGHT: 10px" vAlign=top width="25%">             <TABLE id=wzChooseKeywords-QuestionPanel cellSpacing=1 cellPadding=3              width="100%">               <TBODY>               <TR>                 <TD vAlign=top colSpan=2>                   <DIV class=wiz-smallHeader><B>Common Questions</B></DIV></TD></TR>               <TR>                 <TD vAlign=top> </TD>                 <TD><A                    onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"                    href="https://adwords.google.com/support/bin/answer.py?answer=33359&hl=en_US&ctx=Complete"                    target=google_popup>How do I check that my account is                    running?</A></TD></TR>               <TR>                 <TD vAlign=top> </TD>                 <TD><A                    onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"                    href="https://adwords.google.com/support/bin/answer.py?answer=33360&hl=en_US&ctx=Complete"                    target=google_popup>Now that my Starter Edition ad is running,                    what do I do next?</A></TD></TR>               <TR>                 <TD vAlign=top> </TD>                 <TD><A                    onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"                    href="https://adwords.google.com/support/bin/answer.py?answer=8205&hl=en_US&ctx=Complete"                    target=google_popup>How do I redeem a promotional                code?</A></TD></TR>               <TR>                 <TD vAlign=top> </TD>                 <TD><A                    onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"                    href="https://adwords.google.com/support/bin/answer.py?answer=8206&hl=en_US&ctx=Complete"                    target=google_popup>How do I reach an AdWords                    representative?</A></TD></TR>               <TR>                 <TD vAlign=top colSpan=2>                   <SCRIPT src="index_files/3329992908-Chat.js"                    type=text/javascript></SCRIPT>                   <SCRIPT src="index_files/2804589401-usage_tracker_compiled.js"                    type=text/javascript></SCRIPT>                   <DIV id=wizardChatOnline style="DISPLAY: none"><BR>                   <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live                    Support</B><BR></DIV>                   <TABLE>                     <TBODY>                     <TR>                       <TD vAlign=top width="1%"><A                          onclick="awChat.popUpChat('aw-signup-starter-us', 'http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us', 'chat45033343'); return false;"                          href="http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us&byhref=1"                          target=chat45033343></A></TD>                       <TD vAlign=top noWrap>Need some friendly                          hand-holding?<BR><A                          onclick="awChat.popUpChat('aw-signup-starter-us', 'http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us', 'chat45033343'); return false;"                          href="http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us&byhref=1"                          target=chat45033343>Chat now with an AdWords                          Specialist</A></TD></TR></TBODY></TABLE></DIV>                   <SCRIPT type=text/javascript>       awChat.addChatDiv("aw-signup-starter-us",                         "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348",                         "wizardChatOnline",                         "online");     </SCRIPT>                   <DIV id=wizardChatOccupied style="DISPLAY: none"><BR>                   <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live                    Support</B><BR></DIV>                   <TABLE>                     <TBODY>                     <TR>                       <TD vAlign=top width="1%"></TD>                       <TD vAlign=top>All AdWords Specialists are helping other                          advertisers. Please <A                          onclick="awChat.retryChat('aw-signup-starter-us'); return false;"                          href="https://adwords.google.com/select/starter/signup/WizardComplete?wizardType=newAccount&wizardKey=240d5eedf96505ba#">try                          again</A> soon.</TD></TR></TBODY></TABLE></DIV>                   <SCRIPT type=text/javascript>       awChat.addChatDiv("aw-signup-starter-us",                         "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348",                         "wizardChatOccupied",                         "occupied");     </SCRIPT>                   <DIV id=wizardChatOffline style="DISPLAY: none"><BR>                   <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live                    Support</B><BR></DIV>                   <TABLE>                     <TBODY>                     <TR>                       <TD vAlign=top width="1%"></TD>                       <TD vAlign=top>AdWords Specialists aren't available to                          chat. Please try again later.</TD></TR></TBODY></TABLE></DIV>                   <SCRIPT type=text/javascript>       awChat.addChatDiv("aw-signup-starter-us",                         "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348",                         "wizardChatOffline",                         "offline");     </SCRIPT>                 </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR>   <TR id=wzFooter>     <TD height=1><BR>       <CENTER class=footer>       <DIV        style="PADDING-RIGHT: 2ex; BORDER-TOP: #3f7c5f 2px solid; PADDING-LEFT: 2ex; PADDING-BOTTOM: 2ex; PADDING-TOP: 2ex">       <HR style="DISPLAY: none" noShade SIZE=1>       <FONT color=#666666 size=-1>©2008 Google - <A        href="https://adwords.google.com/select/Login" target=_top>AdWords        Home</A> - <A        onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"        href="https://adwords.google.com/support/bin/static.py?page=guidelines.cs&hl=en_US"        target=google_popup>Advertising Policies</A> - <A        onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"        href="http://www.google.com/privacy.html" target=google_popup>Privacy        Policy</A> - <A        onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})"        href="https://adwords.google.com/select/contactus/ContactUs?hl=en_US&ctx=foot"        target=google_popup>Contact Us</A></FONT></DIV></CENTER><BR>       <SCRIPT src="index_files/urchin.js" type=text/javascript></SCRIPT>       <SCRIPT type=text/javascript>  _uacct='UA-18008-1';  _uanchor=1;  _uccn="sourceid";  _ucmd="medium";  _ucsr="subid";  _uctr="term";  _ucct="content";  _ucid="cid";  _ucno="nooverride";  urchinTracker('/select/starter/signup/WizardComplete?wizardType\75newAccount\46wizardKey\075240d5eedf96505ba\46hl\75en_US');       </SCRIPT>       <SCRIPT type=text/javascript>         _uacct = 'UA-131600-8';                  urchinTracker("/2103821876/goal");       </SCRIPT>       <SCRIPT type=text/javascript>         _uacct = 'UA-131600-4';                    _udn="google.com";                  urchinTracker("/2329528547/goal");       </SCRIPT>     </TD></TR></TBODY></TABLE></BODY></HTML>

MGD

Re: [Phish] Google adwords phish "please udpate your billing inf

Sun, 23 Mar 2008 02:43:10 EDT

SnowyOne :

said by MGD :

IP 58.65.239.3 appears to have FTP running and hosts two domains: Escortinukraine.com and Kumau.info.

OK,OK, but just in the defense of Truth, Justice & The GoogleWay! :)

Re: [Phish] Google adwords phish "please udpate your billing inf

Sun, 23 Mar 2008 02:19:05 EDT

MGD :

said by SnowyOne :

Where would a logical traceroute of »r4oik.cn end at? ...

Appears to be roving bot type hosting. A 30 minute TTL on the phisher contolled DNS rotates a pool of hosts.

A list of 10 hosts cached on a non authorative DNS:


; > DiG 9.2.4 > @algw1.att.com -t A adwords.google.com.r4oik.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER->> opcode: QUERY, status: NOERROR, id: 22389
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 2
 
;; QUESTION SECTION:
;adwords.google.com.r4oik.cn. IN A
 
;; ANSWER SECTION:
 
adwords.google.com.r4oik.cn. 1800 IN A 84.108.239.70
[reverse DNS - bzq-84-108-239-70.cablep.bezeqint.net]
.
adwords.google.com.r4oik.cn. 1800 IN A 85.130.35.217
[reverse DNS - 85-130-35-217.1712826.ddns.cablebg.net]
.
adwords.google.com.r4oik.cn. 1800 IN A 86.122.171.209 
[reverse DNS - 86-122-171-209.rdsnet.ro]
.
adwords.google.com.r4oik.cn. 1800 IN A 87.68.1.132
[reverse DNS - 87.68.1.132.cable.012.net.il]
.
adwords.google.com.r4oik.cn. 1800 IN A 87.68.28.118
[reverse DNS - 87.68.28.118.cable.012.net.il]
.
adwords.google.com.r4oik.cn. 1800 IN A 222.235.171.188
[no reverse DNS set]
.
adwords.google.com.r4oik.cn. 1800 IN A 59.187.199.82
[no reverse DNS set]
.
adwords.google.com.r4oik.cn. 1800 IN A 79.116.242.190
[reverse DNS - 79-116-242-190.rdsnet.ro]
.
adwords.google.com.r4oik.cn. 1800 IN A 80.97.170.165
[no reverse DNS set]
.
adwords.google.com.r4oik.cn. 1800 IN A 81.25.43.13
[reverse DNS - port-13-adslby-pool43.infonet.by]
.

A get request of the root IP on several, if not all, of the above will generate a redirect to:
>http://www.microsoft.com/

Also, the actual phish page contains a 1x1 iframe for:
>http://58.65.239.3/cgi-bin/mail.cgi?p=tor

which is the subject of:

FORM id=wzMainForm name=wzMainForm

action=submit.php

method=post

and relevant to:

<td nowrap="nowrap"><div align="right"><span>Email:</span></div></td>                                   <td><input name="continue" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden">                                       <input name="followup" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden">                                       <input name="service" value="adwords" type="hidden">                                       <input name="nui" value="15" type="hidden">                                       <input name="fpui" value="1" type="hidden">                                       <input name="ifr" value="true" type="hidden">                                       <input name="skipvpage" value="true" type="hidden">                                       <input name="rm" value="hide" type="hidden">                                       <input name="ltmpl" value="login" type="hidden">                                       <input name="hl" value="en-US" type="hidden">                                       <input name="alwf" value="true" type="hidden">                                       <input name="GA3T" value="JSszExtkIFc" type="hidden">                                       <input name="GALX" value="RMI6xOsmqgc" type="hidden">                                       <input style="width: 116px;" name="Email" value="" id="Email"  size="18" type="text"></td>

After the submit to 58.65.239.3/cgi-bin/mail.cgi you are then redirected to >http://www.google.com:

IP 58.65.239.3 appears to have FTP running and hosts two domains: Escortinukraine.com and Kumau.info. They may not be relevant if that IP is hijacked.

MGD

Re: [Phish] Google adwords phish "please udpate your billing inf

Sat, 22 Mar 2008 17:57:01 EDT

SnowyOne : Where would a logical traceroute of »r4oik.cn end at?
China
Brazil
France
Zululand
Romania
Memphis TN

Here's a hint: It's a phish site
»89.41.180.87/icons/

Re: [Phish] Google adwords phish "please udpate your billing inf

Sat, 22 Mar 2008 17:34:01 EDT

SnowyOne :

said by Dennis :

yeah, after my post I tried to reach it from a "test" computer and couldn't get to it.

It's reachable. Maybe not touchable, but reachable.
»www.fr4ck.cn/icons/

Re: [Phish] Google adwords phish "please udpate your billing inf

Sat, 22 Mar 2008 14:56:52 EDT

Dennis : yeah, after my post I tried to reach it from a "test" computer and couldn't get to it.

odd....

Re: [Phish] Google adwords phish "please udpate your billing inf

Sat, 22 Mar 2008 13:47:33 EDT

MGD :

said by Dennis :

Got this today...looks like a pretty targeted scam to me. ......

Indeed, and a harder group to phish too, not your typical mom & pop phishing.

Did not last long either:

Lookup Failed. No IP address or host name

Ping

[r4oik.cn]

Bad destination

whois query for r4oik.cn...

Results returned from whois.cnnic.net.cn:

Domain Name: r4oik.cn
ROID: 20080321s10001s58333121-cn
Domain Status: ok
Registrant Organization: gfdthy
Registrant Name: hrthhtfhrth
Administrative Email: hfgdhf@nfrujhn.cn
Sponsoring Registrar: ????????????
Name Server:ns1.borxl.com
Name Server:ns2.borxl.com
Registration Date: 2008-03-21 04:12
Expiration Date: 2009-03-21 04:12

It may come back up hosted elsewhere, as that DNS is suspect.

nameserver: ns1.borxl.com 67.215.229.45
nameserver: ns2.borxl.com 24.52.12.10

DOMAIN: BORXL.COM

RSP: IMENA.ua
URL: »www.imena.ua

created-date: 2008-03-14
updated-date: 2008-03-14
registration-expiration-date: 2009-03-14

owner-contact: P-MBT398
owner-fname: Mike
owner-lname: Tyo
owner-street: 4034 Rahn Rd
owner-city: Eagan
owner-zip: 55122
owner-country: US
owner-phone: 6513969140
owner-email: miketyo@uk2.net

MGD

[Phish] Google adwords phish "please udpate your billing info"

Sat, 22 Mar 2008 13:19:47 EDT

Dennis : Got this today...looks like a pretty targeted scam to me.

------------------------

Dear Google AdWords Customer!

In order to update your billing information, please sign in
to your AdWords account at »https://adwords.google.com [ really goes to ht tp://adwords.google.com.r4oik.cn/select/Login/ or h ttp://adwords.google.com.fr4ck.cn], and update your
billing information. Your account will be reactivated as soon as you have
entered your payment details. Your ads will show immediately if you
decide to pay for clicks via credit or debit card. If you decide to pay
by direct debit, we may need to receive your signed debit authorization
before your ads start running, depending on your location. If you
choose bank transfer, your ads will show as soon as we receive your
first payment. (Payment options vary by location.)

Thank you for choosing AdWords. We look forward to providing you with
the most effective advertising available.

Sincerely,

The Google AdWords Team

------------------------

This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions after following the steps above, please visit the
Google AdWords Help Center at
»https://adwords.google.com/support/bin/t···hl=en_US to
find answers to frequently asked questions and a 'contact us' link near
the bottom of the page.

------------------------

--
My Blog. Because I desperately need the acknowledgement of others.

Meet my son, Connor.