AdWords
6.2K members online now
6.2K members online now
Understand Google's advertising policies, including ad approval status and account suspension
Guide Me
star_border
Reply

10th case of a Weekend AdWords Phishing Ad for AdWords account logins

[ Edited ]
Collaborator ✭ ✭ ✭
# 1
Collaborator ✭ ✭ ✭

Hello,

 

Yesterday I spotted an AdWords phishing ad for stealing AdWords logins, it was stopped, but today it appeared again from a different Display URL domain but with the same domain as final URL http://freoos.com/

 

The title of the Ad is "Adwords® - Start Advertising Today - stockpair.com‎ " and the Display URL is obviously something fishy "adwords.adwords.adwords.adwords.adw...‎"

 

The AdWords phishing ad is on the first position for various "adwords" related search terms when I perform searches in Bucharest, Romania, browser language=romanian, but also when I perform searches with the Ad Preview even in larger locations such as London simulating google.co.uk , language=english , so it must be targeting a very wide selection of locations.

 

I reported it through the online form for Phishing ads but I also want to report it here to spread awareness about such AdWords ads among frequent AdWords users and limit their ability to trick important users of the AdWords system.

 

This is the click string of the ad

 

https://www.google.ro/aclk?sa=l&ai=CsHL2-5e1VoroL-7mzAbdy77ADIns098IuY-_9sYB5OWwBQgAEAFgg6XhhegboAH_...

 

This is the final URL

http://freoos.com/adwords.accounts.google.com/5e5rnjbhfhjxfnnjuyfhbfdYjyg8Dgwefhgbvvcdn4xh5vxnhvcchh...

 

These are screenshots of the Ad, the landing page and from the Ad preview showing up in London.

 

phishing-ad-appearing-in-London.pngphishing-ad-6-febr-2016.pngphishing-ad-6-febr-2016-final-URL.png

1 Expert replyverified_user
Marked as Best Answer.
Solution
Accepted by topic author Adrian B
February 2016

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

Top Contributor
# 2
Top Contributor

Thanks @Adrian B;

I also alerted one of our  contacts  at Google on this

Moshe, AdWords Top Contributor , Twitter | Linkedin | Community Profile | Ad-Globe
Did you find any helpful responses or answers to your query? If yes, please mark it as the ‘Best Answer’

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

Collaborator ✭ ✭ ✭
# 3
Collaborator ✭ ✭ ✭
Thanks. It think they hacked a couple more accounts, because it is the first time that I see today 2 different phishing Ads, using different domains in the Ad. Google should stop any ad from running if it has this string in the display url ""adwords.adwords.adwords" . It makes no sense for a real client to use this in their display URL , only hackers who want to deceive may want to use it.

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

Collaborator ✭ ✭ ✭
# 4
Collaborator ✭ ✭ ✭

Today a 3rd AdWords phishing Ad appeared, this time showing up the domain touslesmateriaux.com‎ in their Title+description line 1 . I imediately reported them , but I have a feeling they will be back soon.

 

The 3 phishing Ads from this weekend have in common 3 elements : the same text in the display URL, the same adurl in the click string (&adurl=http://trackmaster.ga ) and the same final destination domain

http://freoos.com/adwords.accounts.google.com/

The AdWords phishing Ad title is "Adwords® - Start Advertising Today - touslesmateriaux.com‎" , the display URL
The display URL is the same as before " adwords.adwords.adwords.adwords.adw... "

I found them again by typing "adwords en forum" but also a series of other adwords search terms, from my location Bucharest Romania and from the Ad Preview in Paris, searching "adwords help" from google.fr domain (See screenshots below)

This is the click string which ends the same as the other 2 clicks trings with "&adurl=http://trackmaster.ga/....."

https://www.google.ro/aclk?sa=l&ai=CzAKcMOC2Vp6NK-7QzAbTzYjQA7fa8okIz5zc968C5OWwBQgAEAFgg6XhhegboAGp...

This is the Ad final URL :
http://freoos.com/adwords.accounts.google.com/Ghghdf47e39fdmdbgb4xh5vxnhvcchhghscsGjcnekcwy46jhcdgtf...

 

3rd-phishing-ad-7-febr-2016.png3rd-phishing-ad-7-febr-2016-ad-preview-Paris.png3rd-phishing-ad-7-febr-2016-landing-page.png

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

Collaborator ✭ ✭ ✭
# 5
Collaborator ✭ ✭ ✭

What is going on ? Google can't disable their operating pattern ? They use the exact same display URL repeating "adwords" over 5 times , same final URL domain, same adurl "&adurl=http://trackmaster.ga".

 

Today, on a monday, there is a new 4-th AdWords phishing Ad using the same operating mode (would be case no 13) advertising this time the domain http://furniture-warehouse.co.za ,  which I found on the search term "adwords forum" from my location Bucharest, Romania.

I reported them through the online form and the local chat support .

Their ad was on the first position above the genuine gogle adwords Ad.



It is the same display URL as the other 3 phishing ads observed during the weekend, same title, same redirect to this address http://freoos.com/adwords.accounts.google.com/ 

Here is the click string
https://www.google.ro/aclk?sa=L&ai=CK3QScla4VreGC4POiwaes5TIBKvN3OsHy--0xtYC5OWwBQgAEAEoAmCDpeGF6BvI...

 

And the landing page URL

http://freoos.com/adwords.accounts.google.com/Ghghdf47e39fdmdbgb4xh5vxnhvcchhghscsGjcnekcwy46jhcdgtf...

 

phishing-adwords-ad-8-febr-2016.png

phishing-adwords-ad-8-febr-2016-landing-page.png

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

[ Edited ]
Collaborator ✭ ✭ ✭
# 6
Collaborator ✭ ✭ ✭

Here comes AdWords phishing Ad for account logins case number 14 :

 

Just one hour after disabling the ad mentioned in the previous message, which had the domain http://furniture-warehouse.co.za  in the click string, another similar ad appeared on the search term "adwords help" this time having the domain http://vsservicesrsa.co.za in the click string at the end.

 

I reported them through the dedicated form for AdWords phishing Ads but at the rate they reappear (5th case already) I can't spend all day reporting similar ads.

 

Here is the click string

 

https://www.google.ro/aclk?sa=L&ai=C9wjB4GG4Vv-MCo-kbJ2ikfgJpZjc6wjV-Nq66wLk5bAFEAEoCGCDpeGF6BvIAQGp...

 

here is the Ad screenshot , the landing page is from the same domain

 

http://freoos.com/adwords.accounts.google.com/dmdbhghscsGjcnekcwy46jhcdGhghdf47e39fgfhbfdYjyg8Dgwefh...

 

phishing-adwords-ad-8-febr-2016-nr2.png

 

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

Collaborator ✭ ✭ ✭
# 7
Collaborator ✭ ✭ ✭
I think I noticed something useful for the google team, at first when I clicked the Ad , the landing page was the normal website found at the address http://vsservicesrsa.co.za

Then I looked at the initial adurl and it was only adurl=http://vsservicesrsa.co.za , so at first only the Ad tex was looking like a phishing Ad.

Then I refreshed the page and the clickstring changed , including the redirect to the phishing page, and the adurl was looking like this

adurl=http://trackmaster.ga/vsservicesrsa/%3Furl%3Dhttp://vsservicesrsa.co.za%26id%3D1

So I suppose the hackers must be saving the ad with the normal domain when it goes under review, and they edit it afterwards to include a redirect. Maybe the second google review for editing an Ad does not properly check the final URL.

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

Collaborator ✭ ✭ ✭
# 8
Collaborator ✭ ✭ ✭

Here comes AdWords phishing Ad for account logins case number 15 and the 3rd case from today.

 

Is anyone from Google even reading this ? How hard can it be to block any adwords ad which features the display URL adwords.adwords.adwords.adwords.adwords ?

Same operating mode, same repetition of adwords.adwords.adwords in the display URL. This time the click string has the domain http://mazadance.co.za

 

This is the click string

 

https://www.google.ro/aclk?sa=L&ai=CxiC5lJu4VpL0ONX3bprRtogJ84WAxAejxqDj0QLk5bAFCAAQAWCDpeGF6BvIAQGp...

 

This is the final URL

http://freoos.com/adwords.accounts.google.com/dmdbhghscsGjcnekcwy46jhcdGhghdf47e39fgfhbfdYjyg8Dgwefh...

 

phishing-adwords-ad-8-febr-2016-nr3.png

 

 

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

Top Contributor
# 9
Top Contributor

@Adrian B;

I alerted Google again. But note that  Google phishing squad does not monitor posts on this  community.

The channel to communicate with them  directly is using the link they set.

 

Moshe, AdWords Top Contributor , Twitter | Linkedin | Community Profile | Ad-Globe
Did you find any helpful responses or answers to your query? If yes, please mark it as the ‘Best Answer’

Re: 10th case of a Weekend AdWords Phishing Ad for AdWords account log

Collaborator ✭ ✭ ✭
# 10
Collaborator ✭ ✭ ✭
Yes, thank you. I used the report form 4 times during the weekend and 3 times today. It is very good that I get an email each time I file a report as a confirmation. The ads disappeared in a matter of 1-2 hours but similar ones reappeared .