It looks like hackers are starting to use a new phishing campaign that seeks to steal user login Facebook and Google. According to Larry Cashdollar, a security researcher at the Akamai Security Intelligence Response Team, he recently received an email that had been flagged by Google as a suspect. The email has told him about a new device that was used to connect to his Google account. Since he was not logged into his account when the warning email came to him, he decided to look at the message more thoroughly.
The email sent from email@example.com was a short report from Google. The first to be thwarted was the Hotmail account and the address had more to do with Facebook than with Google. Abusing the name of the famous company is a trick that has been actively used in phishing attacks. In this case, the scammers tried to deceive users into thinking that the alert came from the Facebook security team.
First part of attack - report by Google
The fake e-mail also included a 'Consult the activity' link, which once the user clicks, redirects the victim directly to a page that encourages the user to enter the login and password of the Google Account. The suspect for this landing page is the Google Translate domain. This is a well-designed option because when the user sees the URL in the navigation bar, the legitimate Google domain appears and creates a false sense of legitimacy.
According to Larry Cashdollar himself, the address of the link seems legitimate when it opens on a mobile device. However, analysis of the email and the landing page address on the computer reveals the full "translate.googleusercontent.com/translate" section.
If the user notices this address in the first stage of the attack, the infection can be avoided. However, when you enter your email and password to log in to your Google Account, the attacker can collect the information you have entered and proceed to the next step of the attack.
Second part of the attack - download your credentials to Facebook
Phishers who developed this attack try to attack users twice with two different tactics used to acquire Google and Facebook credentials. Once criminals have the login information in your Google Account, they redirect you to a copy of the Facebook login portal. Phishing is clearly targeted at mobile users and the landing page for Facebook displays a mobile connection version.
According to Cashdollar, the first credentials that are collected are the email and password for your Google account. Later, other information can be collected, including:
- IP addresses
- browser type
- additional personal information
Users should note that the collected data can later be used to steal more valuable credentials from victims in other attacks.