Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Don't Fall for This New Google Translate Phishing Attack

Illustration for article titled Dont Fall for This New Google Translate Phishing Attack
Graphic: Google

Sometimes, the most effective hacks are the simplest hacks. The technique of targeting users’ email accounts with malicious links that gather personal data is one of the oldest and most successful hacks around. And now, you should be on the lookout for phishing emails that are using Google translate to mask their nefarious nature.

Advertisement

Phishing emails use a variety of approaches that all have the same goal: Convincing you to click a link before you’ve properly investigated whether or not it’s safe. This week, a security researcher at Akamai outlined a novel phishing approach that they recently encountered in their inbox that attempts to use Google translate links to mask disreputable links.

In January, the researcher received an email informing them that someone had attempted to access their Google account on an unrecognized Windows device. They first saw the email on their phone and didn’t recall using a new device so they moved over to a laptop to look into it. Red flags became more apparent when the researcher was no longer staring at the minimal mobile interface.

Advertisement

The body of the email contained what looked like a standard notification from Google directing them to click through to take further steps. The link was for a malicious site designed to trick a user into giving up their Google login info. But in an effort to disguise the link, it was first run through Google translate, meaning if you previewed the URL it began with “www.translate.google.com” For inattentive users, this might give the appearance of legitimacy. Clicking the link takes you to a page in Google Translate’s interface and still carries the Google URL in the browser navigation bar. Anyone who doesn’t notice the true URL in Google Translate’s search bar could easily be convinced that the login screen asking for their credentials is perfectly legitimate.

The good news is this particular hacker gave many other clues that they were orchestrating a scam. First of all the email came from “facebook_secur@hotmail.com.” Why would Facebook security be contacting you about your Google account and why would they use a Hotmail address to do it? But even if you didn’t notice that, after you completed the Google sign in, you might start getting suspicious when the malicious site next sends you to a Facebook login screen in an attempt to pull off a two-for-one scam.

We’ve reached out to Google to ask if this attack is common and if it has tools in place to help prevent it. We’ll update this post when we receive a reply.

Yes, the attack is sloppy and the hacker’s greed might alert even novice users to contact Google in order to correct their error immediately. But these types of criminals are normally targeting thousands of potential victims with the hope of at least snagging a few unlucky people in their trap. Attempting to get multiple logins in one try is risky, but if you’re going to go phishing, you might as well try to catch the biggest phish possible.

Advertisement

[Akamai, ZDNet]

Share This Story

Get our newsletter

DISCUSSION

eyebreakthings
EyeBreakThings

Phising scams can get even the best trained user in my experience. In my org, we do a “Phising Scam” test across campus a couple times a year, and inevitably someone in my group (including myself) falls for it, even though we know its coming (part of my duties are email admin, so I am well aware these are coming).

One time, a few years ago ,I(almost) fully fell for a scam. Early morning, and if I’m being honest, a bit hungover. Email from Amazon, looks legit, asking to update my contact info. Click a link (and didn’t check the underlying URL) and land on a convincing looking Amazon login page. Log in, and get to a page that is asking for my contact info (and followed Amazons UX close enough it didn’t set off any alarms). So asking for things like my address, phone # etc. Then I get to the field SSN. *ALARMS GO OFF*. As quicka s I can, I logged into my Amazon account and changed my password (I assume they captured it).

Edit: Also what’s up with Kinja, shit only loads properly in like 1-in-10 tries.  Surprised I was able to leave this comment