Cybercriminals leverage Google Translate to hide their phishing sites

• Attackers are using a new technique that uses Google Translate to hide the real domain of their phishing sites.
• This phishing technique works more effectively in mobile devices when compared to desktops.

Researchers uncovered that attackers are using a new technique that leverages Google Translate to hide the real domain of their phishing sites. Phishing emails using this technique aren’t complex at all and have been already spotted in the wild. However, this technique works more effectively in mobile devices when compared to desktops.

How does this technique work?

• Attackers send their normal phishing emails, but instead of linking their phishing page's URL, they pass their phishing page URL through Google Translate.
• This implies that the phishing email contains the newly generated Google Translate URL instead of the direct link to the phishing site.
• Once users click the links inside the phishing emails, they are redirected to the Google Translate portal.
• The Google Translate portal then loads the phishing page with the regular Google Translate toolbar at the top of the phishing page.

How effective is this technique?

This phishing technique isn't very effective on desktops, as there are multiple pointers that may alert users that something is suspicious.

• Users can easily detect the malicious behavior by hovering the mouse over the links embedded in the phishing emails to see the Google Translate domain, (or)
• When accessing the phishing page, users can find the Google Translate toolbar at the top of the phishing page.

However, these phishing emails work effectively on mobile devices where hovering on a link is not possible and the Google Translate toolbar also appears to look like a browser address bar when accessing the phishing page.

Example of a campaign using this technique

A security researcher at Akamai Technologies, Larry Cashdollar spotted one such campaign leveraging the Google Translate to hide phishing site. The researcher received an email notifying that his Gmail account was accessed from a new device. The researcher examined the email completely and found out that the email was fake and had a lot of issues.

“First, the supposed security alert itself comes from a Hotmail account. Second, the entire address has nothing to do with Google. By using ‘facebook_secur’, there is a chance a mobile user will assume the message came from Facebook's security team,” Cashdollar described.

Cashdollar explained that when he clicked the embedded link in the email, it redirected to a phishing page. He then noted that the attackers are loading the malicious domain through Google Translate.

“Using Google Translate does a number of things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses,” Cashdollar explained.

“However, while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google's older login portal), it fails completely when viewed from a computer,” the researcher added.