{"id":20673,"date":"2022-11-24T04:30:13","date_gmt":"2022-11-24T12:30:13","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/11\/24\/news-14406\/"},"modified":"2022-11-24T04:30:13","modified_gmt":"2022-11-24T12:30:13","slug":"news-14406","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/11\/24\/news-14406\/","title":{"rendered":"Link to Google Translate in phishing email | Kaspersky official blog"},"content":{"rendered":"<p><strong>Credit to Author: Roman Dedenok| Date: Thu, 24 Nov 2022 12:14:04 +0000<\/strong><\/p>\n<p>When discussing cybercriminal tricks, we always recommend that you look carefully at the URL when clicking a link in an email. Here&#8217;s another red flag \u2014 a link to a page translated using Google Translate. In theory, it could be that the sender of the email is inviting you to visit a site in a different language and is trying to be helpful. In practice, however, this technique is most often used to bypass antiphishing mechanisms. If the message forms part of business correspondence, and the site that&#8217;s opened after you click on the link wants you to enter your mail credentials, close the browser window and delete the email right away.<\/p>\n<h2>Why attackers use Google Translate links<\/h2>\n<p>Let&#8217;s take a look at a recent example of phishing through a Google Translate link caught by our traps:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/11\/24070029\/google-translate-scheme-letter.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/11\/24070029\/google-translate-scheme-letter.jpg\" alt=\"A letter with a link to Google Translate.\" width=\"1192\" height=\"606\" class=\"aligncenter size-full wp-image-46381\" \/><\/a><\/p>\n<p>The senders of the email allege that the attachment is some kind of payment document available exclusively to the recipient, which must be studied for a &#8220;contract meeting presentation and subsequent payments.&#8221; The Open button link points to a site translated by Google Translate. However, this becomes clear only when clicking on it, because in the email it appears like this:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/11\/24070625\/google-translate-scheme-link.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/11\/24070625\/google-translate-scheme-link.jpg\" alt=\"Link under the \"Open\" button. \" width=\"619\" height=\"329\" class=\"aligncenter size-full wp-image-46382\" \/><\/a><\/p>\n<p>The strange wording is perhaps intentional \u2014 an attempt by the attackers to create the impression of not being native English speakers to make the Google Translate link seem more convincing. Or maybe they&#8217;ve just never seen a real email with financial documents. Pay attention to the two links below (&#8220;Unsubscribe From This List&#8221; and &#8220;Manage Email Preferences&#8221;), as well as the <em>sendgrid.net<\/em> domain in the link.<\/p>\n<p>These are signs that the message was not sent manually, but through a legitimate mailing service \u2014 in this case the SendGrid service, but any other ESP could have been used. Services of this type normally protect their reputation and periodically delete mail campaigns aimed at phishing and block their creators. That&#8217;s why attackers run their links through Google Translate \u2014 the ESP&#8217;s security mechanisms see a legitimate Google domain and don&#8217;t consider the site to be suspicious. In other words, it&#8217;s an attempt not only to dupe the end-user target, but the filters of the intermediary service as well.<\/p>\n<h2>What does a link to a page translated by Google Translate look like?<\/h2>\n<p><a href=\"https:\/\/translate.google.com\/\" target=\"_blank\" rel=\"nofollow noopener\">Google Translate<\/a> lets you translate entire websites simply by passing it a link and selecting the source and target languages. The result is a link to a page where the original domain is hyphenated, and the URL is supplemented with the domain <em>translate.goog<\/em>, followed by the name of the original page and keys indicating which languages the translation was made to and from. For example, the URL of the translation of the home page of our English-language blog <a href=\"http:\/\/www.kaspersky.com\/blog\" target=\"_blank\" rel=\"nofollow noopener\">www.kaspersky.com\/blog<\/a> into Spanish will look like this: <a href=\"https:\/\/www-kaspersky-com.translate.goog\/blog\/?_x_tr_sl=auto&amp;_x_tr_tl=es&amp;_x_tr_hl=en&amp;_x_tr_pto=wapp\" target=\"_blank\" rel=\"nofollow noopener\">www-kaspersky-com.translate.goog\/blog\/?_x_tr_sl=auto&amp;_x_tr_tl=es&amp;_x_tr_hl=en&amp;_x_tr_pto=wapp<\/a>.<\/p>\n<p>The phishing email we analyzed sought to lure the user here:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/11\/24070702\/google-translate-scheme-webmail.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/11\/24070702\/google-translate-scheme-webmail.jpg\" alt=\"Webmail login page imitation.\" width=\"1278\" height=\"690\" class=\"aligncenter size-full wp-image-46383\" \/><\/a><\/p>\n<p>The browser address bar, despite the string of garbage characters, clearly shows that the link was translated by Google Translate.<\/p>\n<h2>How to stay safe<\/h2>\n<p>To keep company employees from falling for cybercriminal tricks, we recommend periodically refreshing their knowledge of phishing tactics (for example, by sending them relevant links to our blog) or, better still, raising their awareness of modern cyberthreats with the aid of <a href=\"https:\/\/k-asap.com\/en\/?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\">specialized learning tools<\/a>. Incidentally, in the above example, a trained user would never have gotten as far as the phishing page \u2014 the chances of a legitimate financial document addressed to a specific recipient being sent through an ESP service are pretty slim at best. A while back, we posted about <a href=\"https:\/\/www.kaspersky.com\/blog\/phishing-via-esp\/37467\/\" target=\"_blank\" rel=\"noopener\">ESP-based phishing<\/a>.<\/p>\n<p>To be extra sure, we additionally recommend using solutions with antiphishing technologies both at the <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\">corporate mail server level<\/a> and on <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\">all employee devices<\/a>.<\/p>\n<p> <input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\" \/> <br \/><a href=\"https:\/\/www.kaspersky.com\/blog\/google-translate-scheme\/46377\/\" target=\"bwo\" >https:\/\/blog.kaspersky.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/11\/24071024\/google-translate-scheme-featured.jpg\"\/><\/p>\n<p><strong>Credit to Author: Roman Dedenok| Date: Thu, 24 Nov 2022 12:14:04 +0000<\/strong><\/p>\n<p>A link to Google Translate service in a business email could be a sign of phishing.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10425,10378],"tags":[1001,12177,16802,3924,23212,12321],"class_list":["post-20673","post","type-post","status-publish","format-standard","hentry","category-kaspersky","category-security","tag-business","tag-enterprise","tag-mail","tag-phishing","tag-phishing-scams","tag-smb"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20673"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20673\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20673"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}