Google Translate Used in Phishing Attack to Bypass Antispam Filters

Users have recently reported many phishing emails targeting webmail and social networks using a link to Google Translate to “host” the phishing URL and bypass phishing detection. This technique is nothing new and has been used from a few years, but since it is still being widely used it probably means it has some success rate compared to the “traditional ways”.

A Phishing Email Targeting Webmail

Phishing Email Screenshot

Sender IP address extracted from the email source:

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=;;;
Received: from (unknown [])
Subject: Server Notification : 3 Pending New message(s) in your Mailbox
Date: 13 Feb 2023 01:01:12 -0800

Link to Google Translate page (see the domain):


Phishing on Google Translate URL

The original malicious (phishing) URL is this:


The phishing URL page content contains a JavaScript encoded script:

Phishing Page Content

With Page Inspector we can see the phishing URL used in the login form:

Malicious URL Web Form

This is the URL where the login data will be sent to:


Domain WHOIS details (domain was created 2 months ago):

Domain Name: udpl6[.]top
Registry Domain ID: D20221201G10001G_92174606-top
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2022-12-01T15:16:58Z
Creation Date: 2022-12-01T00:14:19Z
Registry Expiry Date: 2023-12-01T00:14:19Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Name Server:
Name Server:

HTTP POST request & response after the “Log in” button is clicked:

POST /uvs/fire.php HTTP/2
Host: udpl6[.]top
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 39
Origin: https://bafybeiee5utbfxcqv2yra7j7ptsznvbeathzqpvvatqzo3proi4lk7m5i4[.]ipfs[.]dweb[.]link

HTTP/2 200 OK
access-control-allow-origin: *
content-type: text/html; charset=UTF-8
content-length: 0
date: Mon, 13 Feb 2023 10:39:57 GMT
server: LiteSpeed
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

Link to Google Translate as Risk Factor

As you can see, if an email contains a Google Translate URL such as * then it should be considered as a risk factor for a potential phishing attack that is trying to use Google Translate service to bypass anti-spam filters and obfuscate the real phishing URL. Thus, it would be recommended to block email messages that contain a link to Google Translate service (such as * in the email body.