A phishing campaign that attempts to steal Google account and Facebook credentials has been discovered that utilizes Google Translate as camouflage on mobile browsers.
According to new research by Larry Cashdollar, a member of Akamai’s Security Intelligence Response Team (SIRT), a phishing campaign was discovered that targets both Google and Facebook accounts. What makes this campaign so effective is its use of Google Translate to make the phishing page look like it’s from a Google domain, while also making it harder to detect on mobile browsers.
These phishing emails pretend to be alerts from Google with a subject of “Security Alert” and state that they have detected your account being logged into from a new Windows device. It then prompts you to learn more about what they detected by clicking on the “Consult the activity” button.
When a user clicks on the link, they will be brought to a Google Translate page that opens up a remote phishing site that pretends to be a Google Account login. On desktop browsers, it can easily be spotted that the phishing page is being shown through Google Translate.
For mobile browsers, though, it is much harder to detect as Google Translate shows a minimal interface when on mobile devices. Unfortunately, Cashdollar was not able to provide BleepingComputer with an image of how this particular scam looked on a mobile browser, so we created our own test page.
BleepingComputer created a test page containing a fake Google account login and opened it through Google Translate on a mobile browser. As you can see, the Google Translate interface is less noticeable and the page shows that we are visiting a page on the Google.com domain To the user this may be more convincing as they see a Google domain rather than a strangely named one.
When the user entered their their credentials in the original phishing page, a script will be executed that emails the entered information to the attacker. Cashdollar illustrated this in Akamai’s labs to show how this data is emailed to the attacker.
Now that the attackers have the victim’s Google Account credentials, they perform another redirect to a Facebook phishing page where they try to get the victim’s Facebook username and password as well. Cashdollar stated that this page was not optimized as well for mobile and was more easy to spot that it was a fake.
As you can see, attackers are constantly coming up with more innovative ways to trick users into providing their credentials. Users have to always remain vigilant that they are entering insensitive information in the correct sites and to always analyze an URL that is opened before doing so.
It is also important to remember that Google, or any other company for that matter, will never ask you to login through Google Translate or any other translation service.
To read the original article: