Google Translate is a free service created by Google that translates any web page, content or document from native language to a language specified by the user that is using the service. We have noticed that some spam messages contain links to websites that use the service Google Translate to translate their page content, but those links are used to promote fraudulent pharmaceutical products, and they seem to use Google Translate to masquerade the malicious website.
In short, when you translate an URL with Google Translate, it appends the URL of the web page in the HTTP query string, but the initial domain name remains translate.googleusercontent.com, so the anti-spam filters may be bypassed because the URL of Google Translate is classified as legitimate.
To get a better idea about what I am talking about, check this image:
We have extracted some URLs from the spam messages and they are all subdomains of yolasite(dot)com, they are used to promote selling of fake pharmaceutical products and subscriptions to fraudulent casino websites:
hxxp:// myonlinestore1. yolasite.com/shop
hxxp:// onlineshop63. yolasite.com/shop
hxxp:// onlinecasino27. yolasite.com/casino2
Never click on links that start with the domain “translate.googleusercontent.com”, because they may use Google Translate to translate a malicious website and exploit vulnerabilities in your web browser or other applications installed in your system (such as Adobe Flash, PDF Readers, Java) to infect your PC.
If you want to translate a website, you should visit directly with your browser the website of Google Translate and type the URL that you want to translate. Avoid clicking on links related to Google Translate, present in emails or in other unknown websites.
We noted an increase amount of email messages that promote a new product that should help people to lose weight. All the email messages we have captured, redirect users to .RU websites used to promote some king of green tea product used to lose weight, that is of course a scam.
This is one of the malicious URLs extracted from the email message:
A screenshot of the homepage:
The links present in the website redirect the user to:
The user is redirected to another malicious URL:
As you can see, the website asks you to fill a web form with your name, surname, address and other sensitive information. The data that is submitted in the form, is then sent to a new malicious URL that use HTTPS:
The website seems to be created few days ago, the homepage looks like this:
Most probably, the website is used to steal the data that is sent through the web form.
A list of malicious URLs captured:
Scan reports generated by URLVoid:
There are more than 18 malicious websites hosted in:
There are more than 50 malicious websites hosted in: