Usually I don’t click on phishing links, especially when the header is forged and the subject contains PayPal

From: "PayPal"

However, this link raised some suspicions becaused it looked like a google forceful redirect http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu- FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&amp ;amp;amp;amp;amp;amp;amp;amp;num=5&adurl=http://24.49.66.79:82/www.paypal.com/cgi-bin /webscr=home=p/index.php So I decided to capture the traffic and see what it’s all about. Well.. I don’t know if this is a new way to exploit google or is it an-every-day-phishing-link but this is the full movie of the events :

Request #1 My browser requests the google page : Response #1 Google issues a 302 redirect to www.googleadservices.com Request #2 As instructed by the 302 response, my browser requests the page from www.googleadservices.com Response #2 Googleadservices.com responds with another 302 redirect to the scammer’s phishing site which is http://24.49.66.79:82/www.paypal.com/cgi-bin/webscr=home=p/index.php Request #3 Again, as instructed by the redirect, my browser requests the phishing URL Response #3 Phishing site responds as it should , delivering a copy of paypal.com Response #4 Firefox flags the site as phishing and advises about it There you have it. PayPal phishing using Adsense forceful redirect. Pretty nasty… to say the least.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!