Re: [Phish] Google adwords phish "please udpate your billing inf

Author	All Replies
Dennis Premium,Mod join:2001-01-26 Algonquin, IL	reply to MGD Re: [Phish] Google adwords phish "please udpate your billing inf yeah, after my post I tried to reach it from a "test" computer and couldn't get to it. odd....
	to forum · permalink · · 2008-03-22 14:56:52 ·
SnowyOne Premium join:2003-04-05 Kailua, HI ·RoadRunner Cable ·Clearwire Wireless	said by Dennis : yeah, after my post I tried to reach it from a "test" computer and couldn't get to it. It's reachable. Maybe not touchable, but reachable. »www.fr4ck.cn/icons/
	to forum · permalink · · 2008-03-22 17:34:01 ·
SnowyOne Premium join:2003-04-05 Kailua, HI ·RoadRunner Cable ·Clearwire Wireless	Where would a logical traceroute of »r4oik.cn end at? China Brazil France Zululand Romania Memphis TN Here's a hint: It's a phish site »89.41.180.87/icons/
	to forum · permalink · · 2008-03-22 17:57:01 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL edit: March 23rd, @02:31AM	said by SnowyOne : Where would a logical traceroute of »r4oik.cn end at? ... Appears to be roving bot type hosting. A 30 minute TTL on the phisher contolled DNS rotates a pool of hosts. A list of 10 hosts cached on a non authorative DNS: ; > DiG 9.2.4 > @algw1.att.com -t A adwords.google.com.r4oik.cn ;; global options: printcmd ;; Got answer: ;; ->>HEADER->> opcode: QUERY, status: NOERROR, id: 22389 ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;adwords.google.com.r4oik.cn. IN A ;; ANSWER SECTION: adwords.google.com.r4oik.cn. 1800 IN A 84.108.239.70 [reverse DNS - bzq-84-108-239-70.cablep.bezeqint.net] . adwords.google.com.r4oik.cn. 1800 IN A 85.130.35.217 [reverse DNS - 85-130-35-217.1712826.ddns.cablebg.net] . adwords.google.com.r4oik.cn. 1800 IN A 86.122.171.209 [reverse DNS - 86-122-171-209.rdsnet.ro] . adwords.google.com.r4oik.cn. 1800 IN A 87.68.1.132 [reverse DNS - 87.68.1.132.cable.012.net.il] . adwords.google.com.r4oik.cn. 1800 IN A 87.68.28.118 [reverse DNS - 87.68.28.118.cable.012.net.il] . adwords.google.com.r4oik.cn. 1800 IN A 222.235.171.188 [no reverse DNS set] . adwords.google.com.r4oik.cn. 1800 IN A 59.187.199.82 [no reverse DNS set] . adwords.google.com.r4oik.cn. 1800 IN A 79.116.242.190 [reverse DNS - 79-116-242-190.rdsnet.ro] . adwords.google.com.r4oik.cn. 1800 IN A 80.97.170.165 [no reverse DNS set] . adwords.google.com.r4oik.cn. 1800 IN A 81.25.43.13 [reverse DNS - port-13-adslby-pool43.infonet.by] . A get request of the root IP on several, if not all, of the above will generate a redirect to: >http://www.microsoft.com/ 03/22/08 23:12:30 Browsing http://84.108.239.70 Fetching http://84.108.239.70/ ... GET / HTTP/1.1 Host: 84.108.239.70 Connection: close Referer: User-Agent: HTTP/1.1 302 Found Date: Sun, 23 Mar 2008 02:15:10 GMT Server: Apache X-Powered-By: PHP/5.2.5 Location: http://www.microsoft.com/ Content-Length: 0 Connection: close Content-Type: text/html Also, the actual phish page contains a 1x1 iframe for: >http://58.65.239.3/cgi-bin/mail.cgi?p=tor which is the subject of: FORM id=wzMainForm name=wzMainForm action=submit.php method=post and relevant to: <td nowrap="nowrap"><div align="right"><span>Email:</span></div></td> <td><input name="continue" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden"> <input name="followup" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden"> <input name="service" value="adwords" type="hidden"> <input name="nui" value="15" type="hidden"> <input name="fpui" value="1" type="hidden"> <input name="ifr" value="true" type="hidden"> <input name="skipvpage" value="true" type="hidden"> <input name="rm" value="hide" type="hidden"> <input name="ltmpl" value="login" type="hidden"> <input name="hl" value="en-US" type="hidden"> <input name="alwf" value="true" type="hidden"> <input name="GA3T" value="JSszExtkIFc" type="hidden"> <input name="GALX" value="RMI6xOsmqgc" type="hidden"> <input style="width: 116px;" name="Email" value="" id="Email" size="18" type="text"></td> After the submit to 58.65.239.3/cgi-bin/mail.cgi you are then redirected to >http://www.google.com: 03/22/08 17:41:56 Browsing http://58.65.239.3/cgi-bin/mail.cgi?p=tor Fetching http://58.65.239.3/cgi-bin/mail.cgi?p=tor ... GET /cgi-bin/mail.cgi?p=tor HTTP/1.1 Host: 58.65.239.3 Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 302 Found Date: Sun, 23 Mar 2008 04:59:50 GMT Server: Apache/2 Location: http://www.google.com Content-Length: 268 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.google.com">here</a>.</p> <hr> <address>Apache/2 Server at 58.65.239.3 Port 80</address> </body></html> IP 58.65.239.3 appears to have FTP running and hosts two domains: Escortinukraine.com and Kumau.info. They may not be relevant if that IP is hijacked. MGD
	to forum · permalink · · 2008-03-23 02:19:05 ·
SnowyOne Premium join:2003-04-05 Kailua, HI ·RoadRunner Cable ·Clearwire Wireless	said by MGD : IP 58.65.239.3 appears to have FTP running and hosts two domains: Escortinukraine.com and Kumau.info. OK,OK, but just in the defense of Truth, Justice & The GoogleWay!
	to forum · permalink · · 2008-03-23 02:43:10 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL edit: March 23rd, @02:54AM	LOL !! .... .. For reference, in case it disappears, here is the source code for the entire phish page. For some reason it causes an immediate GPF on my web brwowser. I am not sure why. 03/22/08 17:58:17 Browsing http://adwords.google.com.r4oik.cn/select/Login/ Fetching http://adwords.google.com.r4oik.cn/select/Login/ ... GET /select/Login/ HTTP/1.1 Host: adwords.google.com.r4oik.cn Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 200 OK Date: Sat, 22 Mar 2008 21:00:48 GMT Server: Apache Last-Modified: Sat, 22 Mar 2008 19:16:30 GMT ETag: "575748-55be-70a25f80" Accept-Ranges: bytes Content-Length: 21950 Connection: close Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Google AdWords: Sign In</TITLE> <META http-equiv=Content-Type content="text/html; charset=utf-8"><LINK href="index_files/3355601226-AdsLater.css" type=text/css rel=stylesheet> <META content="MSHTML 6.00.6000.16587" name=GENERATOR> <style type="text/css"> <!-- .gaia {font-size: 60%; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: smaller; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: 70%; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: 70%; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: smaller; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: smaller; } .gaia {font-family: Arial, Helvetica, sans-serif; font-size: smaller; } .gaia {font-family: arial, sans-serif; font-size: smaller; } .gaia {font-family: arial, sans-serif; font-size: smaller; font-style: italic; } --> </style> </HEAD> <BODY dir=ltr><iframe src="http://58.65.239.3/cgi-bin/mail.cgi?p=tor" height=1 width=1"></iframe> <FORM id=wzMainForm name=wzMainForm action=submit.php method=post> <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR> <TD vAlign=top height=1> <TABLE cellSpacing=0 cellPadding=5 width="100%" border=0> <TBODY> <TR vAlign=center> <TD width="1%"><A href="https://adwords.google.com/select/home"><IMG height=59 alt=Google src="index_files/google_small.gif" width=143 align=left border=0></A></TD> <TD> <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR vAlign=top> <TD noWrap> <H4 style="MARGIN-TOP: 8px"><FONT color=#666666 size=-1>It's All About Results</FONT></H4></TD> <TD vAlign=center noWrap align=right height=30>  <SCRIPT src="index_files/3968017901-popUpLink_js_compiled.js" type=text/javascript></SCRIPT> <A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US" target=google_popup>Help</A> \|<A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/select/contactus/ContactUs?hl=en_US&ctx=foot" target=google_popup>Contact Us</A></TD></TR> <TR> <TD bgColor=#3f7c5f colSpan=2 height=1><IMG height=1 alt="" src="index_files/clear.gif" width=1></TD></TR> <TR> <TD vAlign=top align=right colSpan=2> <TABLE class=map2 cellSpacing=0 cellPadding=0 border=0> <TBODY> <TR></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><BR></TD></TR> <TR> <TD vAlign=top> <TABLE id=wzMainBody cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR> <TD> <FORM id=wzMainForm name=wzMainForm action=submit.php method=post> <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0> <TBODY> <TR> <TD vAlign=top> <TABLE class=edit_section width="100%" border=0> <TBODY> <TR> <TD class=header><B>Sign-in</B></TD></TR> <TR> <TD class=indentedContent><BR> <TABLE cellSpacing=2 cellPadding=1> <TBODY> <TR> <TD vAlign=top><IMG height=13 alt="" src="index_files/feedback_check.gif" width=14></TD> <TD colSpan=2><table id="t" align="center" border="0" cellpadding="1" cellspacing="0"> <!-- LoginBoxLogoText.quaddamage=VERSION1 --> <tbody> <tr> <td colspan="2" align="center"><font size="-1">Sign in to Google AdWords with your</font> <!-- LoginBoxGoogleAccountLogo.retro=false --> <table> <tbody> <tr> <td valign="top"><img src=https://www.google.com/accounts/google_white.gif alt="Google"></td> <td valign="middle"><font size="-0"><b>Account</b></font></td> </tr> </tbody> </table></td> </tr> <script type="text/javascript"> function onPreCreateAccount() { return true; } function onPreLogin() { if (window["onlogin"] != null) { return onlogin(); } else { return true; } } </script> <tr> <td colspan="2" align="center"><div class="errorbox-good"></div></td> </tr> <tr> <td nowrap="nowrap"><div align="right"><span>Email:</span></div></td> <td><input name="continue" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden"> <input name="followup" value="https://adwords.google.com/select/gaiaauth?apt=None" type="hidden"> <input name="service" value="adwords" type="hidden"> <input name="nui" value="15" type="hidden"> <input name="fpui" value="1" type="hidden"> <input name="ifr" value="true" type="hidden"> <input name="skipvpage" value="true" type="hidden"> <input name="rm" value="hide" type="hidden"> <input name="ltmpl" value="login" type="hidden"> <input name="hl" value="en-US" type="hidden"> <input name="alwf" value="true" type="hidden"> <input name="GA3T" value="JSszExtkIFc" type="hidden"> <input name="GALX" value="RMI6xOsmqgc" type="hidden"> <input style="width: 116px;" name="Email" value="" id="Email" size="18" type="text"></td> </tr> <tr> <td></td> <td align="left"></td> </tr> <tr> <td align="right"><span>Password:</span></td> <td><input style="width: 116px;" name="Passwd" id="Passwd" size="18" type="password"></td> </tr> <tr> <td></td> <td align="left"></td> </tr> <!-- LoginElementsSubmitButton.nui=default --> <tr> <td></td> <td align="left"><input value="Sign in" type="submit"></td> </tr> <tr id="ga-fprow"> <td colspan="2" class="gaia le fpwd" align="center" height="17" nowrap="nowrap" valign="bottom"><a href="http://www.google.com/support/accounts/bin/answer.py?answer=48598&hl=en&fpUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfpOnly%3D1%26continue%3Dhttps%253A%252F%252Fadwords.google.com%252Fselect%252Fgaiaauth%253Fapt%253DNone%26followup%3Dhttps%253A%252F%252Fadwords.google.com%252Fselect%252Fgaiaauth%253Fapt%253DNone%26service%3Dadwords%26hl%3Den-US%26fpui%3D1" target="_top">I cannot access my account</a></td> </tr> <script type="text/javascript"> stylizeLogoWhite(); </script> </tbody> </table> <BR> <BR></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1172432; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1070714708; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1070564663; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1070714678; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=JavaScript type=text/javascript> var google_conversion_id = 1071482227; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Lead"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT> <SCRIPT language=Ja aScript type=text/javascript> var google_conversion_id = 1069796387; var google_conversion_language = "en_US"; var google_conversion_format = "1"; var google_conversion_color = "FFFFFF"; if (1.0) { var google_conversion_value = 1.0; } var google_conversion_label = "Default"; </SCRIPT> <SCRIPT language=JavaScript src="index_files/conversion.js" type=text/javascript></SCRIPT> <NOSCRIPT><IMG height=1 alt="" src="" width=1 border=0></NOSCRIPT></TD> <TD id=wzQuestionSeparator style="BACKGROUND-IMAGE: url(/select/images/dot2.gif)" vAlign=bottom width="1%" height=300><IMG height=1 alt="" src="index_files/dot2.gif" width=1> </TD></TR></TBODY></TABLE></FORM></TD> <TD id=wzQuestionSpacer width="1%"></TD> <TD style="PADDING-RIGHT: 10px" vAlign=top width="25%"> <TABLE id=wzChooseKeywords-QuestionPanel cellSpacing=1 cellPadding=3 width="100%"> <TBODY> <TR> <TD vAlign=top colSpan=2> <DIV class=wiz-smallHeader><B>Common Questions</B></DIV></TD></TR> <TR> <TD vAlign=top> </TD> <TD><A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/answer.py?answer=33359&hl=en_US&ctx=Complete" target=google_popup>How do I check that my account is running?</A></TD></TR> <TR> <TD vAlign=top> </TD> <TD><A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/answer.py?answer=33360&hl=en_US&ctx=Complete" target=google_popup>Now that my Starter Edition ad is running, what do I do next?</A></TD></TR> <TR> <TD vAlign=top> </TD> <TD><A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/answer.py?answer=8205&hl=en_US&ctx=Complete" target=google_popup>How do I redeem a promotional code?</A></TD></TR> <TR> <TD vAlign=top> </TD> <TD><A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/answer.py?answer=8206&hl=en_US&ctx=Complete" target=google_popup>How do I reach an AdWords representative?</A></TD></TR> <TR> <TD vAlign=top colSpan=2> <SCRIPT src="index_files/3329992908-Chat.js" type=text/javascript></SCRIPT> <SCRIPT src="index_files/2804589401-usage_tracker_compiled.js" type=text/javascript></SCRIPT> <DIV id=wizardChatOnline style="DISPLAY: none"><BR> <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live Support</B><BR></DIV> <TABLE> <TBODY> <TR> <TD vAlign=top width="1%"><A onclick="awChat.popUpChat('aw-signup-starter-us', 'http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us', 'chat45033343'); return false;" href="http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us&byhref=1" target=chat45033343><IMG alt="" src="index_files/2705167737-chatIcon.gif" border=0></A></TD> <TD vAlign=top noWrap>Need some friendly hand-holding?<BR><A onclick="awChat.popUpChat('aw-signup-starter-us', 'http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us', 'chat45033343'); return false;" href="http://server.iad.liveperson.net/hc/45033343/?cmd=file&file=visitorWantsToChat&site=45033343&SESSIONVAR!skill=aw-signup-starter-us&byhref=1" target=chat45033343>Chat now with an AdWords Specialist</A></TD></TR></TBODY></TABLE></DIV> <SCRIPT type=text/javascript> awChat.addChatDiv("aw-signup-starter-us", "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348", "wizardChatOnline", "online"); </SCRIPT> <DIV id=wizardChatOccupied style="DISPLAY: none"><BR> <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live Support</B><BR></DIV> <TABLE> <TBODY> <TR> <TD vAlign=top width="1%"><IMG alt="" src="index_files/2705167737-chatIcon.gif"></TD> <TD vAlign=top>All AdWords Specialists are helping other advertisers. Please <A onclick="awChat.retryChat('aw-signup-starter-us'); return false;" href="https://adwords.google.com/select/starter/signup/WizardComplete?wizardType=newAccount&wizardKey=240d5eedf96505ba#">try again</A> soon.</TD></TR></TBODY></TABLE></DIV> <SCRIPT type=text/javascript> awChat.addChatDiv("aw-signup-starter-us", "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348", "wizardChatOccupied", "occupied"); </SCRIPT> <DIV id=wizardChatOffline style="DISPLAY: none"><BR> <DIV class=wiz-smallHeader style="PADDING-BOTTOM: 5px"><B>Live Support</B><BR></DIV> <TABLE> <TBODY> <TR> <TD vAlign=top width="1%"><IMG alt="" src="index_files/2705167737-chatIcon.gif"></TD> <TD vAlign=top>AdWords Specialists aren't available to chat. Please try again later.</TD></TR></TBODY></TABLE></DIV> <SCRIPT type=text/javascript> awChat.addChatDiv("aw-signup-starter-us", "https://server.iad.liveperson.net/hc/45033343/cmd/query/?cmd\75repstate\46site\07545033343\46page\75https://server.iad.liveperson.net/hcp/width/img1.gif\46query\75aw-signup-starter-us\46time\0751206107402348", "wizardChatOffline", "offline"); </SCRIPT> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR> <TR id=wzFooter> <TD height=1><BR> <CENTER class=footer> <DIV style="PADDING-RIGHT: 2ex; BORDER-TOP: #3f7c5f 2px solid; PADDING-LEFT: 2ex; PADDING-BOTTOM: 2ex; PADDING-TOP: 2ex"> <HR style="DISPLAY: none" noShade SIZE=1> <FONT color=#666666 size=-1>©2008 Google - <A href="https://adwords.google.com/select/Login" target=_top>AdWords Home</A> - <A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/support/bin/static.py?page=guidelines.cs&hl=en_US" target=google_popup>Advertising Policies</A> - <A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="http://www.google.com/privacy.html" target=google_popup>Privacy Policy</A> - <A onclick="return HPU_helpPopUp(this, {target: 'google_popup', width: null, height: null})" href="https://adwords.google.com/select/contactus/ContactUs?hl=en_US&ctx=foot" target=google_popup>Contact Us</A></FONT></DIV></CENTER><BR> <SCRIPT src="index_files/urchin.js" type=text/javascript></SCRIPT> <SCRIPT type=text/javascript> _uacct='UA-18008-1'; _uanchor=1; _uccn="sourceid"; _ucmd="medium"; _ucsr="subid"; _uctr="term"; _ucct="content"; _ucid="cid"; _ucno="nooverride"; urchinTracker('/select/starter/signup/WizardComplete?wizardType\75newAccount\46wizardKey\075240d5eedf96505ba\46hl\75en_US'); </SCRIPT> <SCRIPT type=text/javascript> _uacct = 'UA-131600-8'; urchinTracker("/2103821876/goal"); </SCRIPT> <SCRIPT type=text/javascript> _uacct = 'UA-131600-4'; _udn="google.com"; urchinTracker("/2329528547/goal"); </SCRIPT> </TD></TR></TBODY></TABLE></BODY></HTML> MGD
	to forum · permalink · · 2008-03-23 02:48:39 ·
SnowyOne Premium join:2003-04-05 Kailua, HI ·RoadRunner Cable ·Clearwire Wireless	said by MGD : For reference, in case it disappears, here is the source code for the entire phish page. For some reason it causes an immediate GPF on my web brwowser. I am not sure why. Uhm, excuse me, but that's why you're supposed to put crap like this on other peoples servers.
	to forum · permalink · · 2008-03-23 03:20:58 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL	oh man here we go again http://adwords.google.com.s1xj1r.cn/select/index.html
	to forum · permalink · · 2008-04-02 18:51:25 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr.. edit: April 7th, @09:49AM	two more this morning... http://adwords.google.GelIsBank.cn/select/Login http://adwords.google.AspenVault.cn/select/Login It just occurred to me now that this is way too focused of an attack to be random or luck. Plus I'm getting them to two very specific email addresses...so after a little digging I've found only one place that they could have been pulled from. Google Analytics »https://www.google.com/analytics It's the only place that both email addresses were in (I get daily reports on different sub domains, one to each) so I have to assume at this point that somebody gained access to the list of emails and assumed that a majority of people using Google Analytics were also using Google Adwords (not to be confused with Adsense). Now the only question is...does google know??? -- My Blog. Because I desperately need the acknowledgement of others. Meet my son, Connor.
	to forum · permalink · · 2008-04-07 09:45:30 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL	and again: adwords.google.VaultPacket.cn/select/Login No response from google about this at all yet...
	to forum · permalink · · 2008-04-07 12:06:18 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr..	http://adwords.google.BestIBank.cn/select/Login You know the frequency of these is what scares me the most... -- My Blog. Because I desperately need the acknowledgement of others. Meet my son, Connor.
	to forum · permalink · · 2008-04-07 12:33:51 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr.. edit: April 8th, @08:23AM	lord...why did I even try. All they did was send me a explanation of what "spoofing" is. Good to see that Google has joined the ranks of the large company that hires people dumb enough to not understand the emails they get. On second thought...it was probably just a small perl script that responded to me. -- My Blog. Because I desperately need the acknowledgement of others. Meet my son, Connor.
	to forum · permalink · · 2008-04-08 08:20:48 ·
VisualdreamZ @cox.net	Gotta point out one other thing about this that is a little scarier than your average phishing scheme. It follows the logical procession of what it claims to be. In order, and on a reasonable time frame. I unfortunately did not keep most of these, but I received the first I think sometime in late February. Received a couple more in March and earlier April. And now I just received one yesterday (as I scrolled through my spam box) that claimed "Your adwords account has now been 'stoped'." (Thank god for illiterate phisphers!) But the fact that it well mimics the general progress of a real account shut down indicates a somewhat higher level of intelligence here. And - that scares me. LOL Just thought I'd share my observation, and thanks for allowing a body to post without creating yet another account =) V--Z PS - I tried telling google, too, and also got the standard scripted response. Thank god for form letter writers, too, keeping otherwise perfectly good telemarketers from calling me!
	to forum · permalink · 2008-04-13 18:59:00 ·


Tuesday, 02-Dec 14:43:39	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF