A phishing campaign that attempts to steal Google account and Facebook credentials has been discovered that utilizes Google Translate as camouflage on mobile browsers.
According to new research by Larry Cashdollar, a member of Akamai's Security Intelligence Response Team (SIRT), a phishing campaign was discovered that targets both Google and Facebook accounts. What makes this campaign so effective is its use of Google Translate to make the phishing page look like it's from a Google domain, while also making it harder to detect on mobile browsers.
These phishing emails pretending to be alerted from Google with a subject of "Security Alert" and state that they have detected your account being logged into from a new Windows device. It then prompts you to learn more about what they detected by clicking on the "Consult the activity" button.
Phishing email pretending to a Google AlertWhen a user clicks on the link, they will be brought to a Google Translate page that opens up a remote phishing site that pretends to be a Google Account login. On desktop browsers, it can easily be spotted that the phishing page is being shown through Google Translate.
Google Account phishing page on a desktop browser.For mobile browsers, though, it is much harder to detect as Google Translate shows a minimal interface when on mobile devices. Unfortunately, Cashdollar was not able to provide BleepingComputer with an image of how this particular scam looked on a mobile browser, so we created our own test page.
BleepingComputer created a test page containing a fake Google account login and opened it through Google Translate on a mobile browser. As you can see, the Google Translate interface is less noticeable and the page shows that we are visiting a page on the Google.com domain To the user this may be more convincing as they see a Google domain rather than a strangely named one.
How Google Translate looks on a mobile deviceWhen the user entered their credentials in the original phishing page, a script will be executed that emails entered information to the attacker. Cashdollar illustrated this in Akamai's labs to show how this data is emailed to the attacker.
Email is sent to the attackers with victim's informationNow that the attackers have the victim's Google Account credentials, they perform another redirect to a Facebook phishing page where they try to get the victim's Facebook username and password as well. Cashdollar stated that this page was not optimized as well for mobile and was more easy to spot that it was a fake.
Redirected Facebook phishing pageAs you can see, attackers are constantly coming up with more innovative ways to trick users into providing their credentials. Users have to always remain vigilant that they are entering insensitive information in the correct sites and to always analyze an URL that is opened before doing so.
It is also important to remember that Google, or any other company for that matter, will never ask you to log in through Google Translate or any other translation service.
source
