Google adwords account holders are being targeted by criminals out to trick them into handing over credit card information using a clever URL spoof that has gained popularity in recent weeks.
On the face of it, the scam follows a traditional attack route involving the sending of spam emails to random Internet addresses in the hope of finding users who have purchased adwords. The email claims that the user's account payment has failed and asks them to "update payment information", again a transparent ploy by today's standards.
As obvious as this might sound, the unwary might easily be tricked by the convincing http://adwords.google.com/select/login link embedded in the email, a perfect copy of the correct Google login address. This one, however, actually leads to http://www.adwords.google.com.XXXX.cn/select/Login [address altered], an obfuscated address that directs to a site associated with IPs in Germany, Romania, and the Czech Republic.
The site is a good copy of the real Google adword site, and appears to let users login using their real account details - any account details will work in fact. Entering payment details results in that information being posted using an SSL link to a remote server after which the account will be ripped off.
The attack has been publicised by security software company Trend Micro, but the disarmingly simple scam is widespread enough to have been received by ordinary users in recent days.
Google adwords exploits are not uncommon, some involving serving exploits directly, others involving the much more basic social engineering techniques used in the latest attack. Indeed, the latest phishing attack bears a strong resemblance to a near-identical campaign launched a few weeks back by Chinese criminals.
As common as 'account update' attacks have become, the spoofed - in other words convincing - URL is still the key to reeling in victims. Criminals seem to have realized that users are paying more attention to such details, and that phishing success bar has been raised by this.