Phishing Campaign Leverages Google Translate to Steal Google and Facebook Credentials

A phishing campaign has been detected that abuses Google Translate to make the phishing webpage appear to be an official login page for Google.

The phishing emails in the campaign are similar to many other campaigns that have been run in the past. The messages have the subject “Security Alert” with a message body virtually identical to the messages sent by Google when a user’s Google account has been accessed from an unfamiliar device or location.  The messages include the Google logo and the text, “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.”

Underneath the text is a clickable button with the text “Consult the activity.” Clicking the link will direct the user to a website that contains a spoofed Google login box. If credentials are entered, they will be sent to the scammer.  

The emails are sent from a Hotmail account – facebook_secur@hotmail.com – which is first warning sign that the email notification is a fake. On desktop browsers, the URL that users are directed to is clearly not official. A further sign that this is a scam.

However, the scam will not be so clear to any user on a mobile device. If the button in the email is clicked, the user will be directed to a phishing webpage that is served via Google Translate. The visible part of the URL in the address bar starts with translate.googleusercontent.com/translate, which makes the URL appear genuine. The use of Google Translate may be sufficient to see the emails bypass mobile security defenses and the apparently official Google domain is likely to fool many users into thinking the webpage is genuine.

If the user enters their Google credentials in the login box, an email is generated which sends the credentials to the attacker. The user is then redirected to a fake Facebook login page where the attackers also try to obtain the user’s Facebook login credentials.

The second attempt to phish for login credentials is easier to identify as fake as an old login box for Facebook is used. However, but that point, the user’s Google account will already have been compromised.

The scam was identified by Larry Cashdollar at Akamai.

Author: NetSec Editor