Phishers use Google Translate domain to hide password stealing tactics

Google and Facebook users' logins and passwords targeted by phishing campaign posing as Google Translate

Google translate domain used in a phishing campaign that aims to steal logins and passwords. It seems that scammers have started using a new phishing campaign seeking to take over users' Facebook and Google login details. According to Larry Cashdollar, a security researcher from Akamai Security Intelligence Response Team, recently he received an email with the suspicious Google alert. The email message notified him about a new device used to sign into the Google Account.^[1] Since he did not log into the account on the time he was warned, he decided to examine the email more thoroughly.

The email sent from facebook_secur@hotmail.com was a brief message reporting from Google.^[2] The first red flag was the Hotmail account and the address having more in common with Facebook rather than with Google. Misusing the famous company's name is a trick which has been actively used in phishing attacks. In this case, scammers were trying to trick users into thinking that the alert is from Facebook's security team.^[3]

This particular phishing attack is playing on fear by displaying the alert about the access to your Google account, as Larry Cashdollar wrote in his post:

Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn't aware or paying attention. Criminals conducting phishing attacks want to throw people off their game, so they'll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later. When this happens, it is entirely possible – expected, in some cases – that the victim isn't going to pay attention to little details that give the scam away. In my case, the attacker is using a mix of curiosity and fear. Fear that my account is compromised, and curiosity as to who did it.

The first part of the attack – report from Google

The fake email message also included the “Consult the activity” link that, once clicked, redirected the victim directly to the page encouraging a user to enter Google account login and password. The suspicious thing about this landing page was the mentioned Google Translate domain. This is a well-thought selection because when the user sees URL in the browser bar, the legitimate Google domain shows up and creates a fake feeling of legitimacy.

According to Larry Cashdollar himself, the link address looks legitimate when opened on the mobile device. However, analyzing the email and the landing page address on the computer reveals the full “translate.googleusercontent.com/translate” domain.

If the user notices this address in the first stage of the attack, the infection can be avoided. However, when you enter the email and password to login into your Google account, the attacker can collect entered information and proceed with the second part phishing campaign.

The second part of the attack – getting your Facebook credentials

Phishers who developed this campaign have been trying to attack users twice with two different tactics used to get Google and Facebook credentials. Since the criminals have your Google account logins, now you get redirected to a copy of Facebook login portal. Again, phishing campaign is clearly targeting mobile users and the landing page for Facebook displays a mobile login version.

As Cashdollar says, the first credentials collected are the email and password for your Google account, this way you get redirected to Facebook login page automatically. Later on, other information can get collected including:

• IP addresses;
• browser type;
• location;
• additional personally identifiable information.^[4]

Users should note that collected data can later be used to steal more valuable credentials from victims in other attacks.^[5]