Beware of Phishing via Dropbox

A burgeoning attack involving Dropbox is making the rounds. In the first two weeks of September, we saw 5,550 of these attacks. Hackers are using Dropbox to create fake login pages that eventually lead to a credential harvesting page.

It’s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites — like Dropbox — to send and host phishing material. The legitimacy of these sites makes it nearly impossible for email security services to stop and end-users to spot.

These attacks are increasing, and hackers are using all your favorite productivity sites — Google, Dropbox, QuickBooks, PayPal and more. It’s one of the cleverer innovations we’ve seen, and given the scale of this attack thus far, it’s one of the most popular and effective.  

In this attack, hackers are utilizing Dropbox documents to host credential-harvesting sites. This attack starts with an email that comes directly from Dropbox. This is a standard email that anyone would receive from Dropbox, notifying them that there’s a document to view. From there, the user is directed to a legitimate Dropbox page, says Check Point in a mailer alert. 

Though the content is that of a OneDrive look-a-like page, the URL is hosted on Dropbox. When you click on “Get Document”, the user is directed to this final page. This is the credential harvesting page. This is the page that is hosted outside of Dropbox, and where the threat actors want you to click in order to steal your credentials.

Business Email Compromise has undergone a pretty rapid evolution. It was only a few years ago that we were writing about so-called “Gift card” scams. These were emails that pretended to come from a CEO or an executive, asking an underling to purchase “gift cards”. The idea is that the hackers would then use the gift cards for personal gain. These emails typically came from spoofed Gmail address-think [email protected], not [email protected].

We might also see impersonation of domains and partners, but these were always spoofs, not the real deal.The next evolution came from compromised accounts. This may be an internal user compromised, such as someone in finance, or even a partner user compromised. These attacks are even trickier because they come from a legitimate address. But you might see a link to a fake O365 login page, or stilted language that NLP can pick up on.

But now we have BEC 3.0, which are attacks from legitimate services. NLP is useless here — the language comes directly from legitimate services and nothing is awry. URL scanning isn’t going to work either, since it’s going to direct the user to a legitimate Dropbox or other site.  These attacks are incredibly difficult to stop and identify, for both security services and end-users.

Starting with education is critical. End users need to ask themselves — do I know this person sending me a document?  And even if you do click on the document, the next thing to ask: does a OneDrive page on a Dropbox document make sense? Asking those questions can help. As can hovering over the URL on the Dropbox page itself.

But that’s asking a lot of the user. That’s why these attacks are increasing in frequency and intensity. Here are some recommendations to stay safe: 

• Adopt AI-powered technology capable of analyzing and identifying numerous phishing indicators to proactively thwart complex attacks.
• Embrace a comprehensive security solution that includes document and file scanning capabilities
• Deploy a robust URL protection system that conducts thorough scans and emulates webpages for enhanced security