Attackers are spoofing Google Translate in an ongoing phishing campaign that uses a common JavaScript coding technique to bypass email security scanners. Leveraging trust in Google Translate is a never-before-seen approach, researchers said.
Researchers from Avanan, a Check Point Software Company, uncovered the campaign, which uses the coding technique to obfuscate phishing sites to make them appear legitimate to the end user as well as fool security gateways. The phish also uses social engineering tactics to convince users they need to respond quickly to an email or face having an account closed, according to a blog post published today.
The messages direct a user to a link that directs them to a credential-harvesting page that appears to be a legitimate Google Translate page, with a pre-populated email field that requires only that a person enter his or her password to log in.
The campaign is an example of a number of current, increasingly more sophisticated tactics that threat actors are using in contemporary phishing campaigns to fool both more savvy end users who have become familiar with malicious tactics, as well as email scanners that delete suspicious messages before they get through, noted Jeremy Fuchs, an Avanan cybersecurity researcher and analyst.
“This attack has a little bit of everything,” he wrote in the post. “It has unique social engineering at the front end. It leverages a legitimate site to help get into the inbox. It uses trickery and obfuscation to confuse security services.”
“Urgent Plea”
Researchers observed a Spanish-language email being used in the campaign, which begins — as most phishing messages do — with social engineering.
In this case, hackers make an “urgent plea” for a user to confirm access to his or her account by informing them that they are missing out on important emails and have only 48 hours in which to review them before they will be deleted.
“That’s a compelling message that might get someone to act,” Fuchs noted.
Upon taking the bait, the link directs a victim to a login page that is a “pretty convincing” Google Translate lookalike page, complete with the typical logo on the upper left-hand corner of the page and a drop-down list of languages. Closer inspection shows that the URL has nothing to do with Google Translate, however, the researchers noted.
The code in the background makes it even more apparent that the page is a fake, with the “HTML that goes into turning this site into a Google Translate lookalike,” Fuchs wrote.
One of the JavaScript commands hackers use here is the “unescape function,” which is “a classic command that helps obfuscate the true meaning of the page,” he wrote.
Unescape is a function in JavaScript that computes a new string in which hexadecimal escape sequences are replaced with the character that it represents. The function can be used on a webpage to appear to show the page as one thing but then, when decoded, shows a “bunch of gibberish” that can trick email security, according to a video about the phishing campaign posted by Avanan.
“This attack requires vigilance on the part of the end user, and advanced natural language processing on the part of the security service to stop,” Fuchs noted in the post.
Phishers Pivoting for Success
Indeed, as Internet users already are familiar with common tactics that threat actors use to fool them into giving up credentials to phishing pages, actors increasingly are pivoting to new tactics or combining common ones in different ways to help ensure the success of their cybercriminal activity, the researchers said.
Attackers recently have been seen using everything from voice-themed messages to spoofed PayPal invoices to leveraging the ongoing war in the Ukraine to get unwitting email users to take phishing bait.
Even with the ramp-up in sophistication, however, the usual precautions that all Internet users and security professionals alike should take to avoid giving up their credentials to phishers still apply — not only in the case of the Google Translate campaign but across the board, according to Avanan.
Researchers recommend that people always hover over URLs found in messages before clicking on them to ensure the destination is legitimate, as well as pay closer attention to grammar, spelling, and factual inconsistencies within an email before trusting it.
And as always, users also should put basic common sense into play when dealing with emails from unknown entities, researchers said. If they ever have doubts about where they’re coming from or their intentions, they should just ask the original sender to be sure before taking further actions.
