A recent phishing attack targeting mobile users leveraged Google Translate to serve fake login pages to Google and Facebook users.
The attack started with a basic notification sent to the intended victim’s email address, claiming that someone had accessed their Google account from a new device. The user is prompted to review the activity by clicking on a button in the notification, which takes them to the phishing page instead.
When viewed on a mobile phone, the message is condensed and seems legitimate. However, if the user switches to a desktop PC, it becomes clear that the email is a phishing attempt, starting with the fact that it comes from an address that has nothing to do with Google: “[email protected]”
Akamai’s Larry Cashdollar, who discovered the attack, points out that the abuse of known brand names to give legitimacy to fake messages is a known tactic in phishing. Cybercriminals use various social engineering tactics to trick users into falling victims to their attacks without paying attention to little details.
Once the user clicks on the link in the fake notification, they are directed to a landing page that resembles the legitimate Google login page. To hide the actual link to the page, Google Translate is used to serve the landing page.
The use of Google Translate for this action results in the address bar being filled with lots of random text, but also in the user seeing a legitimate Google domain, which makes the attack more likely to succeed. This could also help bypassing endpoint defenses.
The attack, however, only appears successful when the intended victim accesses the fake login page from a mobile device. If the user enters their username and password in the page, they are collected and sent to the attacker.
While most phishing attempts usually stop here, this attack moves to the second stage at this point, looking to also steal the intended victim’s Facebook credentials. For that, the user is directed to a clone of Facebook’s mobile login portal.
Both the Google landing page and the fake Facebook login page are older versions of the respective mobile login forms, and Cashdollar suggests the kit is old, likely part of a widely circulated collection of kits commonly sold or traded on various underground forums.
The Facebook landing page is hosted on a different domain, linked to the domain hosting the fake Google login page via a script used by the attacker. Thus, once the Google credentials are collected and emailed to the actor, the Facebook landing page is served to the victim.
“The email records the victim’s username and password, as well as other information including IP address and browser type. Some phishing kits will collect more information, such as location, and various levels of PII, which is usually shared or sold for use in credential stuffing attacks or additional phishing attacks,” Cashdollar says.
The researcher also discovered that the Facebook landing page is linked to the author’s actual Facebook profile (or that of the attacker), meaning that the victim is directed to that page once they provide their credentials.