Popular sites convey legitimacy to the end user. A user is more likely to click on something that looks like Google than something they’ve never seen before.
That’s what hackers are hoping happens in this latest attack.
In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are spoofing Google Translate, and including a bunch of obfuscation tactics to get into the inbox and to get end-users to enter credentials.
Attack
In this attack, hackers are using spoofed Google Translate sites to create credential harvesting pages
- Vector: Email
- Type: Credential Harvesting, Brand Impersonation, Unescape Function
- Techniques: Social Engineering, Static Expressway, Obfuscation
- Target: Any end-user
Email Example #1
This email campaign targeted Spanish speakers. For our audience, we’ll translate what it says.
Hello, you have pending incoming emails that you haven't received yet. Access will be restricted until ownership is confirmed.
Confirm account now.
Note: access will be restricted within 48 business hours
This is a standard social engineering email that aims to get the user to do something. The ask: Your emails aren’t coming in, so we need you to confirm your account. You have 48 hours or else. This is a troubling email that would compel many to click.
Email Example #2
Once the end-user clicks, they are redirected to this login page. While it says Google Translate in the top left corner, the URL is different.
Email Example #3
In the background, you can see the HTML that goes into turning this site into a Google Translate lookalike. One of the JavaScript commands they use is the unescape function. This is a classic command that helps obfuscate the true meaning of the page.
Further, when decoding the JavaScript, you’ll see that the security service would see a bunch of gibberish.
Techniques
In our Attack Briefs, we continually discuss new ways that hackers find to get into the inbox.
In this attack, there’s a lot going on behind the scenes.
The first is social engineering. Hackers make an urgent plea to confirm access to the user’s account. Important emails are missing–you have just 48 hours to confirm your account and see these emails. That's a compelling message that might get someone to act.
When they click, they get directed to a login page. Even though it says Google Translate in the top left, it’s not. It’s a lookalike site–and a pretty convincing one, at that.
Behind the scenes, the hackers are using a lot of Javascript, including the Unescape command, to obfuscate their true intentions.
This attack has a little bit of everything. It has unique social engineering at the front end. It leverages a legitimate site to help get into the inbox. It uses trickery and obfuscation to confuse security services.
This attack requires vigilance on the part of the end-user, and advanced Natural Language Processing on the part of the security service to stop.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Always hover over URLs to ensure the destination is legitimate
- Be sure to pay attention to grammar, spelling and factual inconsistencies within an email
- If ever unsure about an email, ask the original sender