A new phishing campaign was discovered which tried to steal Google account and Facebook credentials by making use of Google Translate as camouflage on mobile browsers.
The security researcher at Akamai’s Security Intelligence Response Team (SIRT), Larry Cashdollar, reports that the new phishing campaign effectively uses Google Translate to make the phishing page appear as it is from a Google domain and targets multiple accounts in one go. This also makes it difficult to detect on mobile browsers.
The researcher first noticed this attack on 7th Jan when he received a phishing email that fakes to be an alert from Google having the subject “Security Alert”. It says that they have detected an activity on his account from a new Windows device and to verify if it was him. There was a button below the message which reads “Consult the activity” to know more about the activity. As soon as he clicked the button, it is redirected to a Google Translate page which opens up a remote phishing site disguising as a Google Account login. On taking a closer look at the email, Cashdollar found that the mail was sent from a Hotmail account.
Phishing attacks are mostly taking advantage of known brand names and most of them become success if the users are not much aware of these kinds of attacks. When the attackers use Google Translate they can easily hide any malicious attempts through several ways. The main thing is that the victims see a legitimate Google domain which might help the criminal bypass endpoint defenses.
These kinds of attacks can be easily done through mobile browsers but it becomes difficult to perform while on a desktop browser.
Those who does not notice red flags regarding the landing page, their credentials and other information such as IP address and browser type are collected and emailed to the attacker.
The attackers then tried something else. They tried to attack the victims twice by forwarding them to a different landing page that claim to be Facebook’s mobile login page. The attackers target victims who already fell for the first part of the scam and these kinds of two-stage attacks are increasing nowadays.
The red flag with the Facebook landing page is that it uses an older version of the Facebook mobile login form. This shows that the kit might be an old one.
Phishing scams are always on the rise and from this we can see that the attackers are coming up with several innovative techniques to trick users to get their credentials. The users must be always vigilant, check the mails where they are coming from and also analyze the URL before opening it. Also keep in mind that companies like Google will never ask you to login through Google Translate or any other translation service.