Spammers Finding Favor with Google Translate

Some spammers, looking to launder the dirty links they email you, are relying on the positive reputation of Google Translate to redirect victims to rogue websites. Researchers at Barracuda Labs who maintain the company’s spam honeypots have spotted a rash of illicit messages trying to beat reputation filters by using this tactic.

Google TranslateSome spammers, looking to launder the dirty links they email you, are relying on the positive reputation of Google Translate to redirect victims to rogue websites. Researchers at Barracuda Labs who maintain the company’s spam honeypots have spotted a rash of illicit messages trying to beat reputation filters by using this tactic.

Research scientist Dave Michmerhuizen and engineer Shawn Anderson wrote a blogpost that describes how it’s being done, and added that they’ve seen a variety of large volume spam attacks where spammers are using the translate service to their advantage.

They point out that most spam filters will block shady messages if the reputation and destination of any embedded link is shaky. One end-around for this problem is for the spammer to use a mix of open URL redirectors and URL shorteners leading to sites in favor with reputation filters.

“One of the primary reasons that small weakly defended websites are hacked is to install simple redirect code—the spammer takes advantage of the good reputation of the website to evade spam filters, and the hacked website redirects anyone who clicks on the message links to the website that the spammer is promoting,” the blogpost read.

Essentially, Google Translate acts as the URL redirector, one that will pass muster with most spam filters and get messages into a victim’s inbox. One example shows a spam message with an embedded shortened link provided by a Yahoo URL shortening service. The link points to a Google Translate page that redirects to a hacked WordPress site. The WordPress site then returns Russian text in an iFrame that translates to: “Redirected to the requested page …” Google Translate then executes embedded code from the hacked site that breaks out of the iFrame and sends the victim to a rogue pharmaceutical website.

“We’ve tested many of these links in the lab, and it appears that Google may be implementing code that defeats framebusting, but our tests are inconclusive,” Michmerhuizen and Anderson said.  “Some links now redirect to google.com, while others still redirect to pharmacy sites.  We certainly hope this technique is not discovered by malware distributors. “

The Barracuda researchers recommend users avoid clicking on links embedded in email messages.

Suggested articles