McAfee Labs

Beware of Clicking the Web Translator Hyperlink

0
By on Apr 03, 2013

Foreign languages are no longer as difficult to understand as they once were, thanks to improvements in web translation services, which instantly translate words and web pages. The website translator plug-in can expand your global world with an amazing and effortless approach by automatically recognizing foreign-language identifiers. Website translators require JavaScript to be enabled to run. The command usually follows this form:

  • http://<web translate service provider domain >/translate?u=<website or link that you want to restate in your favorite language>

McAfee Labs Messaging Security recently observed a spam trait based around an Internet web translator application. Spammers never rely on just one strategy. We recently saw that these translator web services are exclusively marketed by cybercriminals who are using redirection techniques that employ URL shorteners to disguise the destination links. We observed the following URL prototypes during our investigation:

  • http://<web translate service provider domain >/translate?u=< some shorten URI Domain>/4cj0?/
  • http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/Yi9Gsi?/
  • http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/wqEZs?/
  • http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/kK17V?/
  • http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/4cj4?/crowded answer.htm&hl=en

Because online web translators are very effective and powerful tools, spammers have targeted and spoofed these application links to bypass spam filters and get their victims to click the links.

In the past, security experts have come across incidences of spammers who employed URI shorteners to avoid domain blacklists. Now spammers have pioneered spamming with web translator links similar to the shortened URI sites. We have seen this campaign used especially for pharmacy spam using the following subject lines:

Subject-Line Examples

  • If your wife in bed resembles a log apply pure magic of pharmacy!
  • When sexual problems suddenly come into your life you’d better be prepared to meet it!
  • Autumn is the season of giant savings all over the world! Boost your health
  • One tiny pill can make your erection ten times harder. See the difference!
  • Doctors didn’t help me restore my sexual activity and health. But Tibetan monks did!

We have found that all the samples come from free-account web mailers with various accounts linked with them. Spammers spoofed and used web email accounts to send their messages.

 

“From” Header Examples

  • Angie De La Riva <hubcap.betty@<web mailer  domain>>
  • yoko <yokobedoko@<web mailer  domain>>
  • Rainforest La <mssubmit63@<web mailer  domain>>
  • wutupbatch26@<web mailer  domain>
  • Nkateko Siwele <nkateko108@<web mailer  domain>>

Spammers usually just crowd some spammed links using shortening services that redirect victims to a phishing pharmacy website. Once the user clicks on a spoofed URL, a query appears that is mapped to some other bogus-link location on a web-translation service provider domain search box. That link redirects to the pharmacy spam site. The following image shows the view after the connection to a redirected website:

Web_Translator_hyperlink_img2

 

Final Redirect

The translator engine tries to translate this website but cannot because the inserted fake link redirects the victim to a forged pharmacy site:

Web_Translator_hyperlink_img3

 

Email Sample

Most samples come with a single hyperlink and some spam content in the text body and subject lines. In this campaign,  spammers pick the translator service to make it tricky for antispam companies to filter or become aware of this latent spam. Spammers target the recipients with emails designed to tickle their curiosity.

Web_Translator_hyperlink_img4

As always, we advise users to follow best practices to avoid any targeted fraud/spam/phishing harassment.

  • Do not open or click any links in emails from unknown persons
  • Ignore unsolicited requests for sensitive personal information
  • Regularly update your security software, such as McAfee Email & Web security product
  • Don’t open any suspicious attachments in emails from unknown persons
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>