UPDATE
Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate.
The phishing campaign uses a two-stage attack to target both Google and Facebook usernames and passwords, according to researchers at Akamai who posted a Tuesday analysis. But in a tricky twist of events, the scam also evades detection through burying its landing page in a Google Translate page – meaning that victims sees a legitimate Google domain and are more likely to input their credentials.
“When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action,” Larry Cashdollar, with Akamai, said in a Tuesday post. “This is an interesting attack, as it uses Google Translate, and targets multiple accounts in one go.”
Google Credentials
Cashdollar said that he first noticed the attack on Jan. 7 when an email notification on his phone informed him that his Google account had been accessed from a new Windows device.
The message, titled “Security Alert,” features an image branded with Google that says “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.” Then, there’s a “Consult the activity” button below the message.
Interestingly, the message looked much more convincing in its condensed state on his mobile device, rather than on a desktop where the title of the email sender is more apparent, he said.
Upon closer look at the email, Cashdollar found that the “security alert” was sent from “facebook_secur[@]hotmail.com.”
That triggered two suspicions: Firstly, the email is from a Hotmail account, raising red flags – but also, the entire address had nothing to do with Google, instead referencing Facebook.
“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”
When clicking on the “Consult the activity” button, Cashdollar was brought to a landing page that appeared to be a Google domain, prompting him to sign into his Google account.
However, one thing stuck out about the landing page – it was loading the malicious domain via Google Translate, Google’s service to help users translate webpages from one language to another.
Using Google Translate helps the bad actor hide any malicious attempts through several ways: Most importantly, the victim sees a legitimate Google domain which “in some cases… will help the criminal bypass endpoint defenses,” said Cashdollar.
Using Google Translate also means the URL bar is filled with random text. Upon further inspection of that text, victims could see the real, malicious domain, “mediacity,” being translated.
Luckily, “while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer,” said Cashdollar.
For those who fail to notice red flags regarding the landing page, their credentials (username and password) are collected – as well as other information including IP address and browser type – and emailed to the attacker.
“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.
Facebook Credentials
However, the attack didn’t stop there. The attacker then attempts to hit victims twice, by forwarding them to a different landing page that purports to be Facebook’s mobile login portal as part of the attack.
These type of two-stage attacks appear to be on the rise as bad actors look to take advantage of victims who already fell for the first part of the scam, Cashdollar told Threatpost: “It seems this is becoming more common as the attacker knows they’ve gained your trust and try to steal additional credentials.”
Like the Google page, this Facebook landing page has some red flags. It uses an older version of the Facebook mobile login form, for instance.
“This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums,” said Cashdollar.
Despite these mistakes, the two stages of the phishing attack suggest a certain level of sophistication on the part of the attacker.
“It isn’t every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device. But it’s highly uncommon to see such an attack target two brands in the same session,” he said.
Phishing Scams on the Rise
Phishing attacks have continued to grow over the past year – and this particular scam is only one example of how bad actors behind the scams are updating their methods to become trickier.
According to a recent Proofpoint report, “State of the Phish,” 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017. That may not come as a surprise, as in the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.
Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.
This article was updated on Feb. 7 at 4pm with a statement from Google.