Home > Internet > Phishing Google AdWords!

Phishing Google AdWords!

26 agosto 2009
Vai ai commenti Lascia un commento

Dopo che il fenomeno phishing ha colpito banche, servizi postali, eBay, Amazon e quasi tutti i più blasonati servizi o siti internet, oggi ho ricevuto la mia prima email di phishing relativa a Google AdWords, il servizio di pubblicità di Google. L’email che ho ricevuto recita esattamente così:

Dear Google AdWords Advertiser, We are monitoring account activity and deleting the account of users who have been inactive and have no funds in their accounts. We hereby notify you that your account has been inactive for a long period of time and is liable to be deleted. In order to keep your account active you need to login using your Google AdWords registration data. Please click on the link below: https://www.google.com/accounts/ServiceLoginAuth?service=adwords By clicking on the link above you will proceed directly to the data entry page. If the link does not work, copy the whole URL into the address box of your browser and press “Enter”. If you do not activate your account, it will be blocked after witch it will be deleted. Thank you for advertising with Google AdWords.

Ovviamente ho rimosso il link. Un po’ me ne vergogno, ma visto che non uso AdWords da tanto tempo (dal lancio di www.allaccomodations.com, più di un anno fa) ho cliccato sul link e sono stato salvato da una pagina di errore “404 not found” scritta quasi completamente in una lingua asiatica (Coreano credo, più in basso spiego il perché di questa supposizione)! Salvo per miracolo! Ma ora riguardando l’email mi accorgo di un paio di cose:

  1. il mio account non è solo per AdWords, ma anche per GMail, AdSense, Analytics, Webmaster Tools, ecc. ecc. Non ha molto senso che disabilitino solo AdWords per mancato uso. Perché obbligarmi a registrarmi nuovamente quando vorrò, fondamentalmente, dargli il mio denaro?
  2. per come è impostato il mio account AdWords, io non ho un credito precaricato, ma le eventuali impression vengono addebitate periodicamente sulla carta di credito

Dando un’occhiata al codice sorgente del messaggio email si vede questo:

Delivered-To: xxxxxxxxxxxxxxxxxxxxxx
Received: by 10.210.105.11 with SMTP id d11cs55440ebc;
        Tue, 25 Aug 2009 15:55:34 -0700 (PDT)
Received: by 10.103.78.17 with SMTP id f17mr3067556mul.7.1251240930823;
        Tue, 25 Aug 2009 15:55:30 -0700 (PDT)
Return-Path: <notice@adwordsgoogle.com>
Received: from md1.psixpress.com (md1.psixpress.com [154.32.105.205])
        by mx.google.com with ESMTP id 7si2333855mup.24.2009.08.25.15.50.43;
        Tue, 25 Aug 2009 15:55:30 -0700 (PDT)
Received-SPF: neutral (google.com: 154.32.105.205 is neither permitted nor denied by best guess record for domain of notice@adwordsgoogle.com) client-ip=154.32.105.205;
Authentication-Results: mx.google.com; spf=neutral (google.com: 154.32.105.205 is neither permitted nor denied by best guess record for domain of notice@adwordsgoogle.com) smtp.mail=notice@adwordsgoogle.com
Received: from User (wsip-68-15-25-235.sd.sd.cox.net [68.15.25.235])
	by md1.psixpress.com (MOS 3.8.3-GA)
	with ESMTP id JMD05969 (AUTH jean);
	Tue, 25 Aug 2009 23:49:13 +0100 (BST)
Message-Id: <200908252249.JMD05969@md1.psixpress.com>
From: "Google AdWords"<notice@adwordsgoogle.com>
Subject: Google AdWords Notice
Date: Tue, 25 Aug 2009 15:49:22 -0700
MIME-Version: 1.0
Content-Type: text/html;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Google AdWords</title>
</head>

<body>
<p>Dear Google AdWords Advertiser,</p>
<p>We are monitoring account activity and deleting the account of users who<br />
  have been inactive and have no funds in their accounts.<br />
  We hereby notify you that your account has been inactive for a long period<br />
  of time and is liable to be deleted. In order to keep your account active you<br />
  need to login using your Google AdWords registration data. Please click on the<br />
  link below:</p>
<p><a href="http://toxneuro.or.kr/zb41pl2_english/data/SCofNTPP/1194500408/redirect/www.google.com/accounts/ServiceLogin/?service=adwords&cd=null&hl=en-US&ltmpl=adwords&passive=true&ifr=false&alwf=true&continue=https%3A%2F%2Fadwords.google.com%2Fselect%2Fgaiaauth%3Fapt%3DNone%26ugl%3Dtrue">https://www.google.com/accounts/ServiceLoginAuth?service=adwords</a><br />
</p>
<p>By clicking on the link above you will proceed directly to the data entry page.<br />
  If the link does not work, copy the whole URL into the address box of your browser<br />
  and press &quot;Enter&quot;.</p>
<p>If you do not activate your account, it will be blocked after witch it will be deleted.</p>
<p>Thank you for advertising with Google AdWords.<br />
</p>
</body>
</html>

Le parti in grassetto evidenziano lo strano percorso seguito dal messaggio, originato da server non Google. mmm…. La parte in rosso, infine, indica la vera URL del link: toxneuro.or.kr ; un sito Coreano, almeno a giudicare dal TLD kr.

Roberto Cespa Internet ,

  1. Nessun commento ancora...
  1. Nessun trackback ancora...