AdWords Phishing - Another Type Of Click Fraud?

I now know what at least one of the scammers are doing. Screenshots of the fraudulent activity signature of this scammer are shown below. If you’ve clicked on a URL in an email apparently from Google, recently, then you might want to check your AdWords History - as shown below. If these international fraudsters have gained access to your account - get hold of Google support ASAP, and change both the account you use and the password.

If this is what I think it is, then it this is another variety of click fraud - clicks paid from your money, in your account, that don’t benefit you but indirectly benefit the scammers and Google. Let’s have a look at what these scammers do, and see if they are detectable.

Cautionary Note

Be careful when you visit a site like this. A classic malware attack is to get people to visit a compromised site, that hosts malware that will enlist your machine in a botnet. If you go looking at stuff like this you need to be very careful that you don’t get compromised.

I think I’m pretty safe. I used an old email address that hasn’t been used for a Google Account previously. I used a unique password for that address - never previously used. I also changed everything immediately afterwards. I didn’t connect it with our MCC, and I used an account with no adverts and no funds from any source - so there’s no trace of my identity or connection with our business. I also used Flock for the first time - a social networking variant of Mozilla Firefox - to avoid any residual cookies and so on. I did most of the initial work in a virtual machine running Windows on my Mac - making it pretty difficult to penetrate the security - and when I saw no malware, switched back to Mac OS X for screenshots. I really wouldn’t advise looking at these criminal activities unless you take at least the steps I used. I expect that someone who has been involved in InfoSec more recently would suggest even more protective measures.

Domains

The domains used for this phishing attempt were source-adwords.com and ads-source.com. Like previous domains, these are registered to French mailing addresses. Not the same addresses as the previous round of messages - so it may be that they are abusing the identity of otherwise innocent parties. Since the scammers aren’t counting on the domain lasting for enough time to be fully registered, they don’t really need a real physical address that reaches them. I’m excluding legal requirements - these guys are criminals after all, so expecting them to obey any European laws about registering correct business addresses is excessively optimistic.

The name servers they use do seem to be consistent. This may suggest a relationship with some kind of hosting service. I must check that out and see whether these servers are all in the same facility.

What I Did

When I got this round of phishing emails, I checked the “whois” records, and captured info about the claimed domain owner. I then attempted to log in with fake password - looking like a typo of the real password. If it was a malware download, I figured they’d go for both valid and invalid logins. They don’t appear to be delivering a malware load, or at least not the range of sites that I’ve seen.

Another common Trojan technique is to put up a fake login page, and then issue an error message, even if the right data is submitted, redirecting to the right site - so at the point at which you become suspicious, you are now looking at the real site. When you rekey your details, they work. Most people assume that they miskeyed the blanked out password. The scammers meanwhile have collected your details and can now login safely.

With a twinge of doubt, I submitted a real account name and password - knowing that the account was pretty much vanilla, having been just set up and being completely unfunded. That let me in to their stumpy site. Half the links don’t go anywhere. What it did give me was this offer:

Google’s been offering SMS alerts for some time. I’ve signed up to them for many of my client accounts, and I know what the screen looks like. This isn’t it - and notice the wierd check box with pseudo-English offering “I agree with security types”?

This screen may give the scammers another revenue opportunity, if you give your cellphone number - but I don’t know much about mobile fraud mechanisms, yet. They obviously don’t care about that mechanism though, because they’ll gladly accept an empty phone number while giving a message that, yes, they’ll be giving me alerts. A note for non-US users - this page may strike you as odd, because it is clearly configured for a US phone number. Inside the US, of course, you won’t see the number format as jarring.

If you think you’ve seen this on your screen, you’re probably at risk.

The Evidence Trail

I briefly did some work in Information Security a few years ago, working with CAP Gemini’s InfoSec teams in the UK, and others. This data is not up to the standards of their digital forensics, but there are some interesting pieces of information we can pick out.

Oh ho - here’s the hot clue - MonetaAccount? Not something associated with anything I’ve been doing. Obviously, just as they use multiple peoples names for the Domains they use, this name may not be unique. I’d have to look at a few more phishing attempts before seeing the pattern here. Moneta does seem to be associated with mobile phone topups and instant charging. Perhaps this is way to send clicks to Moneta, or that Moneta is being used to extract funds (e.g. asking Google to close the account and send funds to Moneta?). Remember that Moneta may not be directly involved. If they run an affiliate program, this could be a, hrrm, “excessively enthusiastic” affiliate, using someone elses’ money.

These guys apparently aren’t using the AdWords API. If they were, there’d be a clue in the Access tab of my compromised account. It would probably also be easier for Google to detect and track them down.

However, the speed of checking the account name and password means that the Phishing Server is passing data back to the malicious software pretty quickly. There may be a signature that *Google* could recognise, of attempted access to an account from a know suspicious IP address. I’ve certainly had no warning that my account ID’s have had attempted use, and that I should check my account.

I can think of other techniques they might use, but I’m not sure that they are using them. I only like to document stuff that I’m pretty sure they’ve thought of already. They’ll be spending a lot longer thinking about and doing this activity than I can afford to spend pre-emptively working out what they do - an old dilemma for InfoSec. The baddies only have to break your site once to count a win and you have to defend against all the baddies, all the time, and can’t count coup on a successful defence.

What Is Google Doing?

They are clearly working with domain administrators. Nether of these latest sites are now working.

OTOH, Google sent a pretty bland and generic message when I told them that this account was compromised.

Their email also didn’t clearly explain how to create a new account ID and to change the password, though it said that you should. This sounds like classic advice from a technical wizard, who has no idea that ordinary users have problems translating the words into actions. I’ve been playing with some screen capture toys for the Mac, so I may make a video about adding accounts and removing access for the old account. It’s a good reason for all that playtime (well, there’s another reason, too… and you might find out about it!)

There appear to be at least two different levels of response that Google offer. If I have an ordinary account, not linked to my MCC, and I use the support contact information, I get a response offering the right suggestions, slightly more slowly than I’d expect for a security/financially related response, with information that is hard to parse for non-IT/InfoSec literate users. If I have a similar problem with an agency linked account, I can phone, and get specific immediate advice within about 10 minutes and an escalation to a security specialist.

What Should You Be Doing

Since I wrote this article, another of my clients has had suspicious activity. We’re looking in to it, but it currently appears that a secondary user with a unique user account, may have clicked on a phishing message, giving access to some third party who set up an AdSense account link.

So, what can you do to defend yourself?

• Don’t click on links in emails that lead to account name and password forms - type the name directly (PayPal, eBay or AdWords) or use a bookmark that you set up.
• Read the URL of the site carefully before you do anything involving secrets or money.
• Make sure the secondary account users know the hazards - and disable (remove) unused secondary accounts to reduce risk.
• Read your History log every so often - exclude bid changes, which are probably the most common activity and look for the wierd events, such as new ID’s being added, or new destination URLs being set for keywords and adverts, or new and unexpected campaigns.

Summary

At least one class of AdWords Phishing scam is gaining access to accounts. What they do to accounts with funds is not yet known - but I’ll guess that you find new keywords added, with a new destination URL or possibly even new adverts. You may find links to AdSense or new payment processors - possibly signalling funds being leached through fraudulent clicks or by shutting down the account and stealing residual funds.

Advertisers and agencies should always key in the name of the AdWords site or use a known good personal bookmark. Don’t use links in email.

Google could do more to authenticate their emails to users and establish that they have access to data that scammers would have to guess. EBay does this - using a personal name that I have registered so that my account email includes details that are only shared between me and eBay. This helps me to trust those emails more.

Google’s explanations are not yet clear enough for ordinary members of the public to manage a problem. A clearer, step by step description of the process to change account details would help.

Google could more positively warn users. I’m expecting that the scammers use a characteristic signature for account access - a server somewhere that is logging in. If they were really smart, they’d use a botnet and have a compromised home machine access the account. However, there is a pattern for legitimate users. Most AdWords users will use the same IP addresses or ranges. Google could establish the normal pattern and then send emails to warn of abnormal patterns, when those abnormal patterns have gained account access and performed a signature set of activities. The signature looks detectable…

I’d like to see some active blogging from Google about this threat to advertisers, and how Google is protecting us. After all, activity undetected by advertisers is cash in Google’s pocket - not fraud. It only becomes fraud when known. There is an incentive for Google to brush this under the carpet and recognise more spend as revenue and less as fraudulent activity. If Google want to be my friend, then they have to act like it, and not hide the evidence of third party malfeasance.

While the frequency of these scam messages have been increasing recently, I suspect that the volume of click fraud is low. So it is a low risk - but a likely high impact for each affected account.

I suspect that the main subjects of this scam will be small volume advertisers, who are not AdWords daily usage experts - they won’t know what normal Google messages are like or what the evolving UI now looks like.

Looks like Moneta should be involved - the AdWords History Tool shows the Moneta Account ID. Backtracing within Moneta should allow identifying the perpetrators.

Updates

2008-07-03 Added new details of a real attack. Language tidy up. New section on activity you can do for self protection. Clarity on investigative activity vs screenshots - sense s/be unchanged but now clearer why the screenshots are Mac based.