Contributing Writer, [GAS]
I got a very interesting piece of spam in my inbox this morning, and it took me a few moments to realize it was a phishing attack designed to make me disclose my Google Adwords password.
Here is a screenshot of it.
Hovering over the link, you can see that they use a machine name of “adwords.google.com,” however, it continues as a session name, followed by random numbers, and finally, a domain name located on a Russian host. This attack is designed to trick website operators and blog owners into disclosing their Google account password. So far I have only seen Adwords used as a phishing attack. I suspect that it would work just as well with Adsense and other Google subscription and pay services as well.
Many users of Google services use the same password for all of their services- for Gmail, Google Analytics, Webmaster Tools, Adsense and even Google Write. Allowing this password to be disclosed would likely allow the attacker to take over not only the the Gmail account itself, but also to access all the services and websites where the Gmail address was used to register.
Securiteam has a blog post here about a man who had many businesses and forwarded all of his emails to his Gmail account for ease of access, easy searching, and convenience. When his Google account was locked, undoubtedly because he was Phished, he literally lost the keys to his business and was unable to interact with his customers. It took days to regain his access.
Bottom line is, don’t fall for these phishing attacks. Make sure you have a backup email notification built into your Google account(s), and for God’s sake, don’t use the same password for everything. The same goes double for Yahoo accounts.