- http://<web translate service provider domain >/translate?u=<website or link that you want to restate in your favorite language>
McAfee Labs Messaging Security recently observed a spam trait based around an Internet web translator application. Spammers never rely on just one strategy. We recently saw that these translator web services are exclusively marketed by cybercriminals who are using redirection techniques that employ URL shorteners to disguise the destination links. We observed the following URL prototypes during our investigation:
- http://<web translate service provider domain >/translate?u=< some shorten URI Domain>/4cj0?/
- http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/Yi9Gsi?/
- http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/wqEZs?/
- http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/kK17V?/
- http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/4cj4?/crowded answer.htm&hl=en
Because online web translators are very effective and powerful tools, spammers have targeted and spoofed these application links to bypass spam filters and get their victims to click the links.
In the past, security experts have come across incidences of spammers who employed URI shorteners to avoid domain blacklists. Now spammers have pioneered spamming with web translator links similar to the shortened URI sites. We have seen this campaign used especially for pharmacy spam using the following subject lines:
- If your wife in bed resembles a log apply pure magic of pharmacy!
- When sexual problems suddenly come into your life you’d better be prepared to meet it!
- Autumn is the season of giant savings all over the world! Boost your health
- One tiny pill can make your erection ten times harder. See the difference!
- Doctors didn’t help me restore my sexual activity and health. But Tibetan monks did!
We have found that all the samples come from free-account web mailers with various accounts linked with them. Spammers spoofed and used web email accounts to send their messages.
“From” Header Examples
- Angie De La Riva <hubcap.betty@<web mailer domain>>
- yoko <yokobedoko@<web mailer domain>>
- Rainforest La <mssubmit63@<web mailer domain>>
- wutupbatch26@<web mailer domain>
- Nkateko Siwele <nkateko108@<web mailer domain>>
Spammers usually just crowd some spammed links using shortening services that redirect victims to a phishing pharmacy website. Once the user clicks on a spoofed URL, a query appears that is mapped to some other bogus-link location on a web-translation service provider domain search box. That link redirects to the pharmacy spam site. The following image shows the view after the connection to a redirected website:
The translator engine tries to translate this website but cannot because the inserted fake link redirects the victim to a forged pharmacy site:
Most samples come with a single hyperlink and some spam content in the text body and subject lines. In this campaign, spammers pick the translator service to make it tricky for antispam companies to filter or become aware of this latent spam. Spammers target the recipients with emails designed to tickle their curiosity.
As always, we advise users to follow best practices to avoid any targeted fraud/spam/phishing harassment.
- Do not open or click any links in emails from unknown persons
- Ignore unsolicited requests for sensitive personal information
- Regularly update your security software, such as McAfee Email & Web security product
- Don’t open any suspicious attachments in emails from unknown persons