Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 7 September 2008

OH NOES! My AdWords adverts aren't .... hang on a second!

It would seem, an account I never had, has adverts that I've never setup, not being ran. Oh dear, some silly scammer hasn't done their homework again (no surprise there then, these things aren't exactly targetted to specific people, they're just randomly spammed out).

The latest AdWords scam I've received is thus;


Exported by: Outlook Export v0.1.2


From: AdWords-NoReplay
E-mail:adwords-noreply@google.com [ 64.233.167.99 - py-in-f99.google.com ]
Date: 08/09/2008 09:51:36
Subject: Your ads are not running.
**************************************************************************
Links
**************************************************************************

Link: https://adwords.google.com/select/images/adwords_home/new_logogif
        Domain: adwords.google.com
        IP: 64.233.183.112 [ Resolution failed ]
        hpHosts Status: Listed
        MDL Status: Not Listed
        PhishTank Status: false

Link: http://adwords.google.com/select
        Domain: adwords.google.com
        IP: 64.233.183.112 [ Resolution failed ]
        hpHosts Status: Listed
        MDL Status: Not Listed
        PhishTank Status: false

Link: http://www.adwords.google.com.coisfon.cn/select/Login
        Domain: www.adwords.google.com.coisfon.cn
        IP: 87.69.85.21 [ Resolution failed ]
        hpHosts Status: Not Listed
        MDL Status: Not Listed
        PhishTank Status: false

Link: https://adwords.google.com/support/bin/answer.py?answer=28857&hl=en_GB
        Domain: adwords.google.com
        IP: 64.233.183.112 [ Resolution failed ]
        hpHosts Status: Listed
        MDL Status: Not Listed
        PhishTank Status: false

Link: https://adwords.google.com/support/?hl=en_GB
        Domain: adwords.google.com
        IP: 64.233.183.112 [ Resolution failed ]
        hpHosts Status: Listed
        MDL Status: Not Listed
        PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
<https://adwords.google.com/select/images/adwords_home/new_logogif>

Hello,

Our attempt to charge your credit card for your outstanding Google AdWords account balance was declined. Your account is still open. However, your ads have been suspended. Once we are able to charge your card and receive payment for your account
balance, we will re-activate your ads.

Please update your billing information, even if you plan to use the same credit card. This will trigger our billing system to try charging your card again. You do not need to contact us to reactivate your account.

To update your primary payment information, please follow these steps:

1. Log in to your account at http://adwords.google.com/select <http://www.adwords.google.com.coisfon.cn/select/Login> .
2. Enter your new or updated billing information.
6. Click 'Update' when you have finished.

In the future, you may wish to use a backup credit card in order to help ensure continuous delivery of your ads. You can add a backup credit card by visiting your Billing Preferences page or visit the AdWords Help Centre for more details:
https://adwords.google.com/support/bin/answer.py?answer=28857&hl=en_GB

Thank you for advertising with Google AdWords. We look forward to providing you with the most effective advertising available.

Sincerely,

The Google AdWords Team

---------------------------
This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. If you have any questions, please visit the Google AdWords Help Centre at https://adwords.google.com/support/?hl=en_GB to find answers to frequently asked questions and a 'contact us' link near the bottom of the page.
-----------------------------

**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2> <<A HREF="https://adwords.google.com/select/images/adwords_home/new_logogif">https://adwords.google.com/select/images/adwords_home/new_logogif</A>><BR>
<BR>
Hello,<BR>
<BR>
Our attempt to charge your credit card for your<BR>
outstanding Google AdWords account balance was declined.<BR>
Your account is still open. However, your ads have been suspended. Once<BR>
we are able to charge your card and receive payment for your account<BR>
balance, we will re-activate your ads.<BR>
<BR>
Please update your billing information, even if you plan to use the<BR>
same credit card. This will trigger our billing system to try charging<BR>
your card again. You do not need to contact us to reactivate your<BR>
account.<BR>
<BR>
To update your primary payment information, please follow these steps:<BR>
<BR>
1. Log in to your account at <A HREF="http://adwords.google.com/select">http://adwords.google.com/select</A> <<A HREF="http://www.adwords.google.com.coisfon.cn/select/Login">http://www.adwords.google.com.coisfon.cn/select/Login</A>> .<BR>
2. Enter your new or updated billing information.<BR>
6. Click 'Update' when you have finished.<BR>
<BR>
In the future, you may wish to use a backup credit card in order to<BR>
help ensure continuous delivery of your ads. You can add a backup<BR>
credit card by visiting your Billing Preferences page or visit the<BR>
AdWords Help Centre for more details:<BR>
<A HREF="https://adwords.google.com/support/bin/answer.py?answer=28857&hl=en_GB">https://adwords.google.com/support/bin/answer.py?answer=28857&hl=en_GB</A><BR>
<BR>
<BR>
<BR>
Thank you for advertising with Google AdWords. We look forward to<BR>
providing you with the most effective advertising available.<BR>
<BR>
Sincerely,<BR>
<BR>
The Google AdWords Team<BR>
<BR>
---------------------------<BR>
This message was sent from a notification-only email address that does<BR>
not accept incoming email. Please do not reply to this message. If you<BR>
have any questions, please visit the Google AdWords Help Centre at<BR>
<A HREF="https://adwords.google.com/support/?hl=en_GB">https://adwords.google.com/support/?hl=en_GB</A> to find answers to<BR>
frequently asked questions and a 'contact us' link near the bottom of<BR>
the page.<BR>
-----------------------------<BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <fleshpots@yahoo.com>
Delivered-To: services@[REMOVED]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
        by smtp-in-125.livemail.co.uk (Postfix) with SMTP id BE78B534184
        for <services@[REMOVED]>; Mon, 8 Sep 2008 09:51:18 +0100 (BST)
Received: from smtp-in-115.livemail.co.uk (smtp-in-115.livemail.co.uk [213.171.216.115])
        by smtp-in-125.livemail.co.uk (Postfix) with ESMTP id AB5F453418A
        for <ceo@[REMOVED]>; Mon, 8 Sep 2008 09:51:18 +0100 (BST)
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
        by smtp-in-115.livemail.co.uk (Postfix) with SMTP id 9109D327452
        for <abuse@[REMOVED]>; Mon, 8 Sep 2008 09:51:18 +0100 (BST)
Received: from [75.91.2.27] (h27.2.91.75.dynamic.ip.windstream.net [75.91.2.27])
        by smtp-in-115.livemail.co.uk (Postfix) with ESMTP id 55EB2327452
        for <abuse@[REMOVED]>; Mon, 8 Sep 2008 09:51:17 +0100 (BST)
Received: from [75.91.2.27] by f.mx.mail.yahoo.com; Mon, 8 Sep 2008 03:51:36 -0500
To: <abuse@[REMOVED]>
Subject: Your ads are not running.
Date: Mon, 8 Sep 2008 03:51:36 -0500
Message-ID: <01c91166$30cf5400$1b025b4b@fleshpots>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0CCC_01C91166.30CF5400"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcgJyLD6O6KP8W7HVNC719G7XNH9M4==
Content-Language: us
From: "AdWords-NoReplay" <adwords-noreply@google.com>
X-Original-To: abuse@[REMOVED]


Also not surprising is that the scammy site itself (www.adwords.google.com.coisfon.cn) is running on a fastflux;




Ref:
http://hosts-file.net/?s=www.adwords.google.com.coisfon.cn

So what does the phishing page itself look like?



vURL Online results for this site:
http://vurl.mysteryfcm.co.uk/?url=http://www.adwords.google.com.coisfon.cn/select/Login/&selUAStr=1&cbxLinks=on&cbxSource=on&cbxBlacklist=on

1 comment:

Monsieur Chainsaw said...

Got the same thing here :)

Thanks for the diggin'!