Phishing for Google adwords
Today, (Tue Nov 11 17:27:xx in GMT+1) I received:
From: Google AdWords <setup@google.com> To: xxx@xxx.xxx Subject: Google AdWords Alert Date: Wed, 12 Nov 2008 02:27:xx +1000 Hello, Our attempt to charge your credit card on Wed, 12 Nov 2008 02:27:xx +1000 for your outstanding Google AdWords account balance was declined. Your account is still open. However, your ads have been suspended. Once we are able to charge your card and receive payment for your account balance, we will re-activate your ads. Please update your billing information, even if you plan to use the same credit card. This will trigger our billing system to try charging your card again. You do not need to contact us to reactivate your account. To update your primary payment information, please follow these steps: 1. Log in to your AdWords account at: http://adwords .google .com .session- xxxxxxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxxxxxx .com68 .ru 3. Click 'Billing Preferences' link. 4. Click Edit next to the appropriate 'Payment Details' section. 5. Enter your new or updated payment information. 6. Click 'Save Changes' when you have finished. In the future, you may wish to use a backup credit card in order to help ensure continuous delivery of your ads. You can add a backup credit card by visiting your Billing Preferences page. ------------------------------------------------------------------ This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. If you have any questions, please visit the Google AdWords Help Centre at https://adwords.google.com/support/?hl=en_GB to find answers to frequently asked questions and a 'contact us' link near the bottom of the page. ---------------------------------------------------------------- Thank you for advertising with Google AdWords. We look forward to providing you with the most effective advertising available. Sincerely, The Google AdWords Team
The x-ed out stuff was spot-on, the spaces are added to the URL to prevent any reader from clicking on this. It was sent to an email address I actually have used in association with Google adwords, (although it's not that well targeted, I got other copies of it on addresses I use in conjunction with managing websites but not linked to adwords.)
Notice the lack of obvious errors aside of a date that's in the future (their timezone calculation might be off) and the concealed URL that does not point to google.com, but to .com68.ru
Now, when explaining to your users how to detect phishing from real warnings, do you think your users have a reasonable chance of noticing this before the credit card gets abused?
Tracing it back:
- com68.ru has a private registration. Sure, what's new.
- The email originated in 77.34.0.0/15 (used by an ISP based in Vladivostok).
- The actual DNS name didn't resolve at the time of this writing.
--
Swa Frantzen -- Section 66
Comments