Phishers Leveraging Google Translate to Target Google and Facebook Users (Feb 7, 2019)
Larry Cashdollar, a member of Akamai's Security Intelligence Response Team (SIRT), received a phishing email that said his Google account had been accessed on an unknown Windows device. The email's content appeared very similar to a legitimate Google notification, however, the email purported to be from "facebook_secur@hotmail[dot]com." If the target clicked the "view activity" button, they were redirected to a fake Google login that used Google Translate to load the malicious domain to trick users into thinking the domain was legitimate, though the domain being translated in the search bar was completely different from a Google page. This phishing attack had two phishing attempts as if a user did enter in their Google account information, they would then be redirected to a Facebook page in an attempt to also steal those credentials.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack. Users should be cognizant of domain pages they are redirected to in a phishing attempt, as often, despite the authentic appearance of the web page, the domain name will be something unusual and illegitimate. It is also a good idea to use Multi-Factor Authentication (MFA) to prevent other users obtaining access to your accounts and ensure more security when logging into a site yourself.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.