Google Translate Used to Hide Phishing Sites

A new phishing method has been witnessed this week, where attackers have hidden their phishing websites behind the Google translate service.

Like most phishing attacks the intent of the actors here is to scam you into providing personal information and login details, that they can steal and use for malicious purposes.

This particular attack focuses on attempts to steal your Google and Facebook account credentials.

It all typically starts with a fake security email notifying the user of a new device login and includes a link to verify that the login activity was you.

By clicking the link, you are presented with a lookalike Google login page, but what makes this interesting is you are first directed to Google Translate that then opens the malicious phishing site.

This appears to be an effort to convince the user that checks the email link that they are indeed going to Google, giving a valid Google domain and certificate in the address bar. Although the email body content may look convincing a quick check of the email sender confirms that this is not from Google.

Users that are unfortunate to enter their credentials and click the sign in link on the page, will trigger a script to run that will email the information entered to the attackers.

If you are using a desktop / laptop browser this threat should be easily identified as fake, as the sender email and translated URLs should be clearly visible to the user as not belonging to Google.

Mobile users will have a tougher time though, due to the condensed view it will be more difficult to identify the phish, as the translated domain is not as visible.

What’s surprising is that the attack has a second phase. Once a user signs in with their Google credentials they are immediately redirected to a fake older version of the Facebook login page that then tries to steal your username and password for Facebook. This should be an immediate red flag for most users.

All this said the whole attack is poorly configured and its unknown how successful this has actually been.

The phishing site displayed in Google Translate uses the following hijacked URL:

httpx://mediacity[.]co[.]in/social/js/index.html

Although the top-level domain is considered clean, Cisco Umbrella customers are protected from accessing this URL which is blocked as a phishing threat.

For more information and screenshots please see Akamai’s blog post on the topic:

https://blogs.akamai.com/sitr/2019/02/phishing-attacks-against-facebook-google-via-google-translate.html

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList

Ironshare – Security Simplified