I have just received a series of evilly crafted attempts to obtain account names and passwords, or possibly to deliver malware. Formatted as a better than average mail message from Google, it looks like a genuine Customer Service message. Clicking the embedded link takes you to a site that looks like Google, but is a fake site. General advice - never click on a link involving account names and passwords that could affect your financial status, when it is embedded in an email. Always key in a domain name that you know - like “adwords.google.com” or “paypal.com”.
When I first saw one of these emails, I was suspicious. I’ve been using AdWords for around five years at this point and I’ve never personally had a message like this. I know that account and budget expiration notifications aren’t like this. Additionally I didn’t get an SMS, and I set up most stuff so that I do get an SMS notice that I can cross check with the account alerts. Finally there’s an oddity of English usage - “Renew now today” - that just doesn’t read well; at least, not for a UK English user.
I’ll bet that a lot of folk will blithely click through and enter name and password to a site that looks exactly like adwords.google.com - “adyms-words.com” or the more recent “login11-words.com”. Note that the names change - we’ll look at why, in a moment.
Also note that the email is from “Google AdWords <customersolutions–ysm@google.com>”. This is not a real Google address, but it is similar to the sender address of notifications from Yahoo!Search Marketing, on a password change, for example. If you reply to the email - in a few minutes you’ll get a reply from Google’s mail servers that the account is unknown. If mail user agents were smarter, they’d give you a warning that the SPF is showing that the sender’s IP address is not validated for the domain. The email headers will typically show something like:
Received-SPF: softfail (google.com: domain of transitioning
customersolutions--ysm@google.com does not designate 64.254.62.211 as
permitted sender) client-ip=64.254.62.211;
OTOH, I’m pretty sure that my emails would show a similar warning. I’m running a small business with a focus on Internet Marketing; my IT background helps understand this sort of stuff, but it isn’t my primary business focus and I do forget to update the records; my staff are even less IT literate and more marketing oriented. I really should check that now, because no-one else will… :(
Anyway, here’s what “login11-words.com” looks like:
For comparison, here’s an image capture of the real AdWords site. Note that AdWords uses the secure protocol “https”. Some browsers show a secure HTTP site URL in a different colour or a have a lock shown in the frame of the window. Also note that the fake site has a different URL. That’s the key signature that this is an attempt to spoof, for AdWords users. I gave a cursory check to see if any of the files looked like malware - couldn’t see anything in obvious spots, but I’ve yet to disembowel the Javascript in detail.
Why Send This Email
So, if someone sends you this email, and you click, and then login, what is the likely consequence?
Is it a malware download? Doesn’t look like it. See this Trend Micro report on an earlier faked AdWords attack.
I’m not entirely sure. I haven’t been silly enough to offer a real account name and password. I might set up a pre-paid account so that I can test… But that’ll take a while.
I’ll guess that fraudsters will set up new adverts, very expensive, for content match on sites that they control, and also direct traffic to sites under their control. If the fraudsters conversion rate is only 0.1%, then using someone else’s money to get traffic makes that site viable.
I’ll also guess that fraudsters may disable access - probably by eliminating other logins and changing the password. So if you have login problems, start getting worried.
The email uses some interesting techniques to demonstrate authenticity.
It looks like an email from a legitimate organisation. It even has helpful tips about the processes, and a reminder to use your AdWords account details, not your email details. After all, the fraudsters would hate to waste their time on a bad account…
Here’s the email, formatted in GMail:
The light bulb image is taken from MSN’s paid search vehicle, AdCenter. So these guys are obviously looking round at other opportunities to do harm, or they wouldn’t be sniffing around there for that image.
Testing Responses
So… I put in fake account details…
There’s a difference in behaviour. The fake site first:
Note that the fraudsters have used a new URL for a login error. They’ve also not remembered the account name.
Here’s the real Google AdWords response to an incorrect login attempt:
See that the URL is retained, as is the account name offered. Google’s login system is more complex and smarter.
Google’s Response, Our Response and Your Response
Google and domain administrators seem to be reacting quickly to this problem.
Within twelve hours of my receipt of the first message, the domain was taken down. There was no record of the domain at all. However, the most recent emails still refer to a domain that has been active for about 36 hours at this point. My guess is that Google is slower responding to these problems at weekends - and probably domain registrars are, too. If these sneaky scum were smart, they’d preferentially send emails just before a weekend, and count on out-of-hours activity to be slower. The first pair of these emails that I’ve seen were emailed early in the week. This may point to the scamsters being keen to make money, or may indicate that they know that Google’s response is slow enough that taking advantage of weekend downtime doesn’t matter.
I’ve checked the domain ownership of my most recently received phishing attempts, and it shows a (possibly faked) domain owner. I have captured the screenshot, but since the person identified may be the victim of identity theft, I am not publishing their details here. As I come across more examples, I’ll be checking the ID of the site owner and if I see a pattern, I’ll be reporting it to UK police - a gesture of optimism, I suspect. If anyone knows a better process to nail the sneaky cheats, I’d be happy to hear it.
I’m also reporting these emails to my AdWords Account team and warning all my clients. I’m recommending that clients switch to using the AdWords Editor as much as possible - and that they must *never* respond to an email with an embedded link like this. That’s hard, because email marketeers rely on people clicking links in email. If users get used to the idea of not clicking on links in email - it’ll make the world financially safer, but it does degrade the value of email for both casual and commercial purposes. OTOH, it also shows the trusting nature of early internet protocols, something that Google relies on… that most people are of good intent.
I’ve increased the monitoring of my client accounts - a pain, since this isn’t an activity I’ve budgeted for. It costs me and eventually I suppose that I’ll have to raise prices to my clients, in order to cover those costs. This is doubly annoying because this is a cost that doesn’t increase sales, it just reduces client risk, risks introduced through advertising.
I’ve also got a defensive product in mind - but it is currently implausible because of the restrictions of the AdWords API. I may blog about that in a future article.
What Else Could Be Done?
I note that both the email and the fake site use images from Google and Microsoft paid search programmes.
When I saw the first of these, I thought that a solution would be to tweak the Google and Microsoft web servers. It should be possibly to conditionally serve a different image if a browser or email request is not loading the normal set of resources. However, looking at later messages suggests that this would be ineffective. The fraudsters are reaping the graphic images and feeding them from their own servers. If the images were taken from Google and Microsoft then it should be possible to feed a Phishing Warning embedded in the image (”This image may be used on a site attempting to steal your account; please check that you are on https://AdWords.Google.com/select/login”).
Google should be commended for their foresight in offering the AdWords Editor - this tool makes it harder for accounts to be stolen. I don’t think the primary motivation was account protection, but local apps are harder to crack (if reasonably designed) than Social Engineering attacks by fake sites.
Google has introduced SMS alerts and there are matching alerts in the account summary page. If you receive an SMS alert and then login by typing the AdWords URL correctly to verify the alert, you’ll minimise the chances of problems. I hope that Google will increase attempts to get account owners and administrative staff to use SMS alerts. If you know that you don’t receive alerts by email, only by SMS, it reduces attacks by this route. The costs of SMS notices are probably not enough to dissuade the fraudsters completely, but it’ll help, somewhat. There is a problem with the existing SMS alerts - they use the last four digits of the AdWords. When you have enough accounts to monitor, working out which account submitted the alert may be time consuming.
If the AdWords Editor carried alerts, then the dangerous web login step could be evaded.
PayPal uses private information (the name you registered, not the email address) to confirm that the email has come with priviliged information. I note that the AdWords Phishing Emails do not mention the Account ID, nor a registered user name. The Account ID is *NOT* suitable as an identifier… Why? I’ve got far too many client accounts to remember all the numbers. I can remember the names and the email and name must match… or I get suspicious again.
If Google more frequently sent out contact emails, with priviliged contact information, then users would get used to seeing the format of messages. Phishing emails that deviated from the Google AdWords mail messages would become more obvious. Not a lot - but it would provide some additional level of protection for more vigilant and wary users. Social Engineering attacks work because most people are nice; most recipients can trust most messages - so long as they don’t offer various body enlargements, recreational pharmaceuticals or replica jewelry.
GMail does not show the SPF warning. I can imagine that Google could use the SPF warnings on their own domains with some confidence. More confidence than they have for other domains. Additionally they could blacklist emails from addresses that don’t exist in the google.com domain. That would protect AdWords Users who use GMail accounts, somewhat better. Since this is intrusive monitoring - it’d probably need an opt-in.
I’ll keep thinking. Perhaps other solutions will occur to me.
