Security Experts:

Connect with us

Hi, what are you looking for?



Phishers Serve Fake Login Pages via Google Translate

A recent phishing attack targeting mobile users leveraged Google Translate to serve fake login pages to Google and Facebook users.

A recent phishing attack targeting mobile users leveraged Google Translate to serve fake login pages to Google and Facebook users.

The attack started with a basic notification sent to the intended victim’s email address, claiming that someone had accessed their Google account from a new device. The user is prompted to review the activity by clicking on a button in the notification, which takes them to the phishing page instead. 

When viewed on a mobile phone, the message is condensed and seems legitimate. However, if the user switches to a desktop PC, it becomes clear that the email is a phishing attempt, starting with the fact that it comes from an address that has nothing to do with Google: “[email protected]

Akamai’s Larry Cashdollar, who discovered the attack, points out that the abuse of known brand names to give legitimacy to fake messages is a known tactic in phishing. Cybercriminals use various social engineering tactics to trick users into falling victims to their attacks without paying attention to little details. 

Once the user clicks on the link in the fake notification, they are directed to a landing page that resembles the legitimate Google login page. To hide the actual link to the page, Google Translate is used to serve the landing page. 

The use of Google Translate for this action results in the address bar being filled with lots of random text, but also in the user seeing a legitimate Google domain, which makes the attack more likely to succeed. This could also help bypassing endpoint defenses.

The attack, however, only appears successful when the intended victim accesses the fake login page from a mobile device. If the user enters their username and password in the page, they are collected and sent to the attacker. 

While most phishing attempts usually stop here, this attack moves to the second stage at this point, looking to also steal the intended victim’s Facebook credentials. For that, the user is directed to a clone of Facebook’s mobile login portal.

Both the Google landing page and the fake Facebook login page are older versions of the respective mobile login forms, and Cashdollar suggests the kit is old, likely part of a widely circulated collection of kits commonly sold or traded on various underground forums.

The Facebook landing page is hosted on a different domain, linked to the domain hosting the fake Google login page via a script used by the attacker. Thus, once the Google credentials are collected and emailed to the actor, the Facebook landing page is served to the victim. 

“The email records the victim’s username and password, as well as other information including IP address and browser type. Some phishing kits will collect more information, such as location, and various levels of PII, which is usually shared or sold for use in credential stuffing attacks or additional phishing attacks,” Cashdollar says. 

The researcher also discovered that the Facebook landing page is linked to the author’s actual Facebook profile (or that of the attacker), meaning that the victim is directed to that page once they provide their credentials. 

Related: Office 365, Outlook Credentials Most Targeted by Phishing Kits

Related: Evasive Malware, Meet Evasive Phishing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...