{"id":46377,"date":"2022-11-24T07:14:04","date_gmt":"2022-11-24T12:14:04","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=46377"},"modified":"2022-11-24T07:15:04","modified_gmt":"2022-11-24T12:15:04","slug":"google-translate-scheme","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/google-translate-scheme\/46377\/","title":{"rendered":"Google Translate for phishing"},"content":{"rendered":"

When discussing cybercriminal tricks, we always recommend that you look carefully at the URL when clicking a link in an email. Here\u2019s another red flag \u2014 a link to a page translated using Google Translate. In theory, it could be that the sender of the email is inviting you to visit a site in a different language and is trying to be helpful. In practice, however, this technique is most often used to bypass antiphishing mechanisms. If the message forms part of business correspondence, and the site that\u2019s opened after you click on the link wants you to enter your mail credentials, close the browser window and delete the email right away.<\/p>\n

Why attackers use Google Translate links<\/h2>\n

Let\u2019s take a look at a recent example of phishing through a Google Translate link caught by our traps:<\/p>\n

\"A<\/a><\/p>\n

The senders of the email allege that the attachment is some kind of payment document available exclusively to the recipient, which must be studied for a \u201ccontract meeting presentation and subsequent payments.\u201d The Open button link points to a site translated by Google Translate. However, this becomes clear only when clicking on it, because in the email it appears like this:<\/p>\n

\"Link<\/a><\/p>\n

The strange wording is perhaps intentional \u2014 an attempt by the attackers to create the impression of not being native English speakers to make the Google Translate link seem more convincing. Or maybe they\u2019ve just never seen a real email with financial documents. Pay attention to the two links below (\u201cUnsubscribe From This List\u201d and \u201cManage Email Preferences\u201d), as well as the sendgrid.net<\/em> domain in the link.<\/p>\n

These are signs that the message was not sent manually, but through a legitimate mailing service \u2014 in this case the SendGrid service, but any other ESP could have been used. Services of this type normally protect their reputation and periodically delete mail campaigns aimed at phishing and block their creators. That\u2019s why attackers run their links through Google Translate \u2014 the ESP\u2019s security mechanisms see a legitimate Google domain and don\u2019t consider the site to be suspicious. In other words, it\u2019s an attempt not only to dupe the end-user target, but the filters of the intermediary service as well.<\/p>\n

What does a link to a page translated by Google Translate look like?<\/h2>\n

Google Translate<\/a> lets you translate entire websites simply by passing it a link and selecting the source and target languages. The result is a link to a page where the original domain is hyphenated, and the URL is supplemented with the domain translate.goog<\/em>, followed by the name of the original page and keys indicating which languages the translation was made to and from. For example, the URL of the translation of the home page of our English-language blog www.kaspersky.com\/blog<\/a> into Spanish will look like this: www-kaspersky-com.translate.goog\/blog\/?_x_tr_sl=auto&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp<\/a>.<\/p>\n

The phishing email we analyzed sought to lure the user here:<\/p>\n

\"Webmail<\/a><\/p>\n

The browser address bar, despite the string of garbage characters, clearly shows that the link was translated by Google Translate.<\/p>\n

How to stay safe<\/h2>\n

To keep company employees from falling for cybercriminal tricks, we recommend periodically refreshing their knowledge of phishing tactics (for example, by sending them relevant links to our blog) or, better still, raising their awareness of modern cyberthreats with the aid of specialized learning tools<\/a>. Incidentally, in the above example, a trained user would never have gotten as far as the phishing page \u2014 the chances of a legitimate financial document addressed to a specific recipient being sent through an ESP service are pretty slim at best. A while back, we posted about ESP-based phishing<\/a>.<\/p>\n

To be extra sure, we additionally recommend using solutions with antiphishing technologies both at the corporate mail server level<\/a> and on all employee devices<\/a>.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Why might a business email contain a link to Google Translate?<\/p>\n","protected":false},"author":2598,"featured_media":46384,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052],"tags":[19,76,726],"class_list":{"0":"post-46377","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-email","11":"tag-phishing","12":"tag-scam"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/google-translate-scheme\/46377\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/google-translate-scheme\/24891\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/google-translate-scheme\/20392\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/google-translate-scheme\/27448\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/google-translate-scheme\/25558\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/google-translate-scheme\/28120\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/google-translate-scheme\/27389\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/google-translate-scheme\/34277\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/google-translate-scheme\/19804\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/google-translate-scheme\/20431\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/google-translate-scheme\/29537\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/google-translate-scheme\/32912\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/google-translate-scheme\/25617\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/46377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=46377"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/46377\/revisions"}],"predecessor-version":[{"id":46387,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/46377\/revisions\/46387"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/46384"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=46377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=46377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=46377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}