Crooks leverage Google Translate service as camouflage on mobile browsers in a phishing campaign aimed at stealing Google account and Facebook credentials.
The security expert Larry Cashdollar, a member of Akamai’s Security Intelligence Response Team (SIRT), discovered that cybercriminals are carrying out a new Phishing attack that leverages Google Translate as camouflage.
Finally, I get to collaborate with @SteveD3 on some research -> Phishing Attacks Against Facebook / Google via Google Translate – Akamai Security Intelligence and Threat Research Blog https://t.co/0oif3jBKOa
— Larry W. Cashdollar r00t folding team #258829 (@_larry0) February 5, 2019
The phishing campaign targets both Google and Facebook accounts, the use of Google Translate allows the attackers to make the phishing page as a legitimate form from a Google domain. The technique makes it harder to detect the attack on mobile browsers.
These phishing emails pose as alerts sent by Google that inform users that their accounts were accessed from a new Windows device. The malicious emails come with a subject of “Security Alert,” they attempt to trick victims to click on the “Consult the activity” button to receive more information about the potential unauthorized access.
When a user clicks on the link embedded in the phishing message, he will be redirected to a Google Translate page that opens up a phishing page that appears to be a Google Account login.
The expert pointed out that this kind of attack could be easily detected by users on desktop browsers because the Translate toolbar is visible.
On mobile browsers, it is much difficult to understand that the displayed page is the result of Google Translate because the interface of the service is minimal.
“Using Google Translate does a number of things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses.” reads the analysis published by Cashdollar.
“However, while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer.”
When the victims provide their Google/Facebook credentials to the phishing page, a script will send them to the attacker via email.
Once obtained the victim’s credentials, attackers carry out a second phishing attack to attempt obtaining also Facebook credentials.
According to Cashdollar, the Facebook phishing page was not optimized as well for mobile and was very easy to spot.
“Some phishing attacks are more sophisticated than others. In this case, the attack was easily spotted the moment I checked the message on my computer in addition to seeing it on my mobile device. However, other, more clever attacks fool thousands of people daily, even IT and Security professionals.” concludes the expert.
“The best defense is a good offense. That means taking your time and examining the message fully before taking any actions.”