Sponsored by..

Showing posts with label AdWords. Show all posts
Showing posts with label AdWords. Show all posts

Tuesday, 4 October 2011

Several AdWords phishing sites at Prolexic

Prolexic is an anti-DDOS specialist hosting firm with a reputation for being one of the good guys. It's a bit of a surprise to see Google AdWords phishing sites on a Prolexic server, hopefully they won't be there for long.

The phishing messages look something like this:

From: Google AdWords
Subject: Google AdWords: You have a new alert.

------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions, please our Help Center to find answers to
frequently asked questions.
------------------------

Dear Valued Customer, 

You have a new alert from Google Adwords.

Sign in to your AdWords account at http://www.googlernn.com/Select/login

Yours Sincerely,
The Google AdWords Team

It's difficult to know just how many phishing sites are on this server, however the following can be identified:

www.adwords-opt.com
www.adworlsmn.com
www.googlcmn.com
www.googlcnm.com
www.google-bnc.com
www.google-etnm.com
www.google-mnt.com
www.google-mnz.com
www.google-nmz.com
www.googlernn.com
www.googlhnxm.com
www.googlhon.com
www.googlmen.com
www.googlm-hmn.com
www.googlmncn.com
www.googlmnc-n.com
www.googlmnx.com
www.googlmp.com
www.googl-pmn.com
www.googl-rpm.com
www.googlthn.com
www.googlzmn.com
www.googmlbe.com

Sites appear to be hosted on 72.52.4.95 along with thousands of legitimate sites. All the domains have been registered in the past few days with hidden domain registrations.

Tuesday, 24 April 2007

Malware via AdWords


A typical approach to spreading malware is to hack a site and then inject an IFRAME pointing towards some obfuscated Javascript that then eventually connects to a site with an exploit.

From the point of view of an attacker, this is fine. But what if the natural traffic for the site isn't enough?

Here's one I came across today with a completely new twist.

In this particular case, our antivirus software came up with an alert for what appeared to be some variant of the JS/Petch trojan. The machine didn't appear to be infected, but I investigated further. (Just to be clear, it wasn't my machine!)

An analysis of the machine indicated that this particular user had been doing some fairly innocent lunchtime surfing looking for a particular product.. let's say widgets.

In this case, the user went to Google and search for "widgets" and got the usual load of search results complete with a set of ads along the top and down the side - normal Google AdWords ads. This user then clicked on the top ad apparently promiting a company that we will call widgetsgb.com.. which is where is gets interesting.

Instead of being taken to widgetsgb.com, Google directed the visitor to another site. This in itself is not unusual, sometimes different domains are used for tracking or whatever. However, in this case the site was completely unrelated.. say notwidgetsatall.co.uk in which was buried an exact copy of the front page of widgetsgb.com. So the front page of notwidgetsatall.co.uk looked completely normal, but in a subdirectory notwidgetsatall.co.uk/widgets was an exact copy of the other site.

Well, not an exact copy precisely. This version had some IFRAME goodness pointing to an IP in Germany which had the obfuscated javascript pointing elsewhere. It doesn't really matter where.

What was interesting about this whole thing was that the user had clicked on a paid ad rather then a natural search result. Which means that somebody had to pay for the click... and by the looks of things that somebody had to pay a respectable amount to get the number one position. Of course, the bad guys never pay for anything as it would be uneconomic for them, so the indications are that they were using a hacked AdWords account.

What is strange about this whole thing is the amount of effort that the bad guys put into this.. they targetted a niche site without an awful lot of traffic, made a duplicate and then set up an advertising campaign to drive what was presumably not an awful lot of clicks to their IFRAME.

I guess the AdWords account was picked up with a keylogger installed on another hacked machine. It's the first time I've seen AdWords used in this way, but it shows that the bad guys can squeeze the value out of just about anything.