scary...

If you see emails like this, please forward them to the AdWords team: http://adwords.google.com/support/bin/request.py?ctx=cuffhelp&contact_type=phishing

I received such an e-mail, and made a report on my blog called "phishing adwords campain" :

http://www.blogdefred.com/campagne-phishing-adwords.php

next time I will forward it to google teeams.

that is terrible. Thank goodness Google has safeguards against this for Adwords. However what's the safeguard for someone who justs wants to maliciously delete all of your Gmails?

Also, how safe are services like Meebo that ask for your Google password? What does it to take to hack that little start-ups password records or create a fake page to phish for accounts?

Probably a good idea is to wait 2-3 days before visiting the potential phishing site. Most sites are taken down.

> Also, how safe are services like Meebo that ask for your
> Google password? What does it to take to hack that little
> start-ups password records or create a fake page to
> phish for accounts?

To be most safe I would suggest you never enter your Google password unless the browser address bar reads "google.com" as domain on top. Sites using the Google Account by means of referring you to google.com (like Google Friend Connect or Google Appspot) should be safe as they don't actually see your password – they only know whether or not you entered the right password, i.e. whether or not the authentication was a success – but if not there's a risk. Even if the site itself is not malicious, and even if they don't store any password, who knows what security measures they have to safe guard their own server from someone trying to sneak in a script...

wow, that sucks. be careful. i had my bank account hijacked in the same way. thanks for posting. we'll all keep a closer look on all of our online accounts.

wow. I've never seen that one before.

Deceptive! I probably would have thought that email was real – until I actually look close enough. The problem is that sometimes people are in that "laid-back posture" so they kinda forget to notice phishing warnings, especially if it's that deceptive.

Philipp
Correction: make sure it reads "google.com" at the very END of the domain in the address bar after discounting subdirectories. Many sites show up as "adwords.google.com.badsite.net" or even the classic "adwords.google.combadsite.com".

The major webmail providers could insert the URL under the link or provide it on hover when viewing an email with links or any HTML. A truly paranoid one could even pop up a warning window reading "This link goes to 'http://badsite.com/evil'" and indicate the full domain. Sure, it's an extra step that most will skip, but it may prevent as many people from falling for phishing emails.

Mind that Google's anti-spam/phishing is very good, and I bet they run every email through it searching for malware and phishing links, but not even Google can't police the internet in real time. I think. Not yet, anyway.

Surely you must be joking, Mr. Lenssen! – at least in respect to this bit of "advice":

> [...] instead open a new browser window and enter the URL (like
> “amazon.com”, “google.com” or whichever) manually.

Since the target phish'd url would be fairly long, hard to retype in full, advising the (human) mark to type in manually just the hostname for control purposes misses the point. Besides, haven't you heard the song "Urls Just Want To Be Clicked To Have Some Fun, Fun, Fun" (and the multi-colored Google logos go "dood-do-dood-do-do-dood-dood-dood")?

> Hovering over the link in the email is also often a good first
> give-away, as the domain may not be the official one; [...]

Yeah, right. Tell me another.
<a title="http://google.com/phished-path" onMouseOver="http://google.com/phished-path" onMouseOut="" href="phisher-site/path">Secure Log In</a>

This is old school phishing – in it's earliest iteration, your user name and password were requested, and no matter what you put in it failed. This still works (obviously), but gives you a quick notification that something is wrong.

A newer iteration is for the phishing site to relay the authentication to the legitimate service. This allows the phisher to validate the credentials, and allay suspicions (since login is successful). I do not expect that this was in place for this particular scam, since the text of the message emphasizes using the correct password.

While both of these work, users are wising up. Anti-phishing functionality in IE7 and Fx2 will attempt to notify the user that a specific URL is a suspected phishing site. To combat this, phishers use 'piers' – mini sites put on legitimate domains that have been compromised (http://www.f-secure.com/weblog/archives/00001440.html).

Functionality in both Fx3 and IE8 strongly identifies the domain being visited in the address bar, making hiding in a domain like "adwords.google.com.badsite.net" more difficult, and similarly will reduce the effectiveness of piers.

A final technique being seen in the wild doesn't even request the user name and password – it just has the user install compromised bits on the computer (http://www.f-secure.com/weblog/archives/00001428.html).

> > [...] instead open a new browser window and enter the URL (like
> > “amazon.com”, “google.com” or whichever) manually.
>
> Since the target phish'd url would be fairly long, hard to retype in
> full, advising the (human) mark to type in manually just the
> hostname for control purposes misses the point.

Perhaps this is a misunderstanding. I did not mean one should enter the phishing URL – I meant one should enter the real domain, e.g. literally "www.google.com" or so to then click through to the desired log-in form.

> > Hovering over the link in the email is also often a good first
> > give-away, as the domain may not be the official one; [...]
>
> Yeah, right. Tell me another.
> <a title=" google.com/phished-path" onMouseOver="
> google.com/phished-path" onMouseOut="" href="phisher-
> site/path">Secure Log In</a>

Ian, does any of Yahoo Mail, Gmail or Hotmail support JavaScript in the HTML? If not, then hovering would be a good first indicator – but still, as I said, I don't think clicking the mail link at all is a good idea (new abuse schemes may be invented for starters).

Correction to my original post: Russell has six campaigns, not one, set up at the moment. I adjusted the text and marked the changes.

Philipp,
we're not talking legitimate pages/code presence, or not, of html window object attributes, but of such on phished ones', where, presumably, the true target of links would be maximally obscured to ensure that naïve end-users not hesitate to click them. Not every browser shows window.status() by default, and not everybody understands or even cares what they display; but, in these that do, such kiddie-script additions could be quite effective.

Anyhow, that's not where maximum dangers lie – those, who are uninterested in security aspects of web use, or simply unobservant enough to question potentially adverse outcomes of what they are asked to do, will soon or later (have to) learn the consequences the *hard way*.

Far worse are the more modern phishing methods, which rely on surreptitiously installed RAM-based keyloggers that rely harvested data piggybacked onto nominally legitimate form submissions and the like. And that includes even single-input field "official-looking" search requests, where the ACTION=scheme:path can not normally be inspected or viewed until AFTER the search-or-"search" has been executed.

The campaign the phisher has created only has broad matches... what a newbie lol!

Also, I'm almost positive no competent webmail provider allows Javascript methods or even "clever" CSS pseudo classes mixed with HTML in email. That just makes phishers' and spammers' jobs TOO easy. Besides, I thought everyone learned their lessons from the bad old days of Outlook and Outlook Express.

I could be wrong.

J. McNair: what webmail providers do or not do is of no importance, as the only thing that matters here are users' at large ignorance of threat vectors, and their naïve sense of being safe because, see, as they themselves don't do to others, etc. Besides, visible presence of Javascript functionality in obscure places would be as much an indicator of DANGER, as its absence --even were end-users generally aware of it-- would be of ALL CLEAR. Or something.

Horrible attacks.

thanks to share with us.