Attackers Use Well-Known Infrastructure for Credential Harvesting
 

Editor’s note: Mimecast researcher Nir Steinfeld is credited with this discovery. 

Stolen credentials are one of the most effective and common methods for breaching an organization’s defenses. Malicious actors steal these credentials through credential harvesting attacks, often via email phishing. Once in their possession, user credentials are used to gain easy access to systems or can even be traded or sold on the dark web to fund further malicious activities. 

As part of their online attack efforts, cybercriminals deploy phishing websites, which is where users are taken to when they click on the malicious links in the phishing emails they receive. These fake sites, which often mimic real, well-known sites are where users put in their credentials, only to have them stolen. 

These phishing websites were originally hosted on suspicious domains that are more likely to be rather easily detected by most security tools.

To combat having their malicious websites discovered so easily, cybercriminals utilize infrastructure provided by well-known companies to hide the source of their webpages and make them seem like they use legitimate domains and certificates.

Recent Mimecast threat research conducted by Nir Steinfeld detected a large campaign – over 10,000 webpages in less than a month – that takes advantage of Google infrastructure to bypass security layers, reach users, and then trick them into giving away their personal credentials.

The campaign took place all over the world, including Europe, South Africa, the U.S., and Australia.

The Technique

Google Translate provides an online service for website translations. Providing a URL, it returns an identical webpage with its text translated to a desired language.

Figure 1: Google Translate’s websites translation feature

For example, a user can enter the URL for Der Spiegel, a German weekly news magazine, and get the whole page translated to any of the languages Google Translate supports.

Figure 2: www.spiegel.de

Figure 3: Translated version of www.spiegel.de

The Potential Harm

The phishing pages Nir’s research detected were all hosted using Cloudflare IPFS or other hosting services and camouflaged using Google Translate’s website translation.

Some of these pages were up for more than a month before being discovered. VirusTotal, which aggregates many scan engines, shows that the original URLs get more detections than the ones using Google Translate’s domain. This demonstrates the effectiveness of this attack vector.

Figure 4: VT status for the original URL (flagged by 15 vendors) and for the same URL using Google Translate (flagged by just 6 vendors)

The page replicates Microsoft’s official “Outlook on the web” login page.

Figure 5: The original phishing webpage

Google Translate’s feature adds a top bar enabling users to set their preferred language and go back to the original URL.

Figure 6: Phishing page for Outlook using Google Translate

Most users will open the URL, recognize the appearance of Outlook’s login ꟷ most likely not notice the use of Google Translate here ꟷ and assume they are using an official Microsoft service.

In conducting his research, Nir examined the certificate of the URLs sent and discovered a legitimate Google Trust Services signature (Figure 7). The fact that the certificate and domain are Google’s official certificate and domain in many cases may help the URL bypass security gateways that automatically approve Google’s trusted services.

Figure 7: The certificate for a webpage using Google Translate’s feature

Mimecast’s Edge

Security tools that are based on blocklists and signatures are likely to fail at detecting this kind of attack. Mimecast’s secure email gateway in the cloud, Email Security, Cloud Gateway (Email Security CG), is designed to keep any type of email environment, even the most complex, secure. Offering advanced administration capabilities and a range of complementary solutions and integrations, it’s ideal for IT and security teams that want to control risk and tame complexity.

Email Security CG analyzes pages in real time, using advanced natural language and image processing to produce heuristics about the potential harm in a webpage, resulting in the detection of these kinds of attacks. So, while other security tools allow users to visit malicious sites and enter their credentials, only to have them stolen, Mimecast’s Email Security CG stops the malicious email from ever being delivered because it recognizes the website link in the email is actually a malicious site using Google Translate to mask its nefarious intentions.

Next Steps

Professionals concerned about attacks like the one discovered in this new research from the Mimecast Threat Research team should check back regularly on this blog for updates on new discoveries. And if they haven’t already, they should consider deploying an advanced email security tool like Email Security CG to stop these attacks before they are delivered to users.