- November 15, 2011
What’s easier than making money the hard way? Stealing it.
That seems to be the motivation behind a Google AdWords phishing attempt a client received this morning. Luckily he had the keen eye to avoid the trap and forward the email to me for further review.
Step 1: The Phishing Lure
Here’s the email he received. Is says his account is no longer running and that his ads need to be reviewed before being re-activated.
Looks legit, right? Even the reply-to address is the normal AdWords notification email account. Who wouldn’t log in to re-activate their ads?
Step 2: Set the Hook
After clicking the link, an unsuspecting advertiser could be tricked into filling in their AdWords username and password on this screen.
Again, it looks legitimate. More experienced AdWords users will immediately recognize this as a old version of the login page. The new version is below as a reference.
Step 3: Be The One That Got Away
There are numerous clues that the site may not be legitimate and should be avoided:
- The click-through URL on the email goes to “google-ist.com” instead of “google.com“. This should be a dead-giveaway.
- The landing page is not hosted on a secure site. All official Google login pages are secured on https pages.
- The email seems overly dire and not worded in the typical “Googley” fashion: “Please note: If you do not verify the status of your Adwords account and notify us if your ads do not appear online we can not help you and your ads will stay offline for the next few days.”
- The landing page is a copy of an old version and does not resemble the current AdWords login page.
- The whois information for this domain is not registered to Google. It’s probably fake info anyway, but it’s definitely not Google.
- Clicking the link in a modern browser pops up a phishing warning. Not all browsers do this, but it is extremely helpful and usually accurate.