Corporate employees familiar with Dropbox should take extra precautions to avoid becoming a victim of a phishing attack that uses the popular file-sharing service.
Cybercriminals have been sending out emails with malicious links pointing to a ZIP file on Dropbox that contains a screensaver that is actually ransomware similar to one known as CryptoLocker, security vendor PhishMe reported Friday.
The attackers try to trick the recipients into clicking on the link through a variety of ploys, including disguising the email, so that the link appears to point to an invoice or a fax report or message.
If someone receives the email at work, "they may think that they're receiving a fax and it's something they need to look at, which makes them inclined to go ahead and open it," Ronnie Tokazowski, senior researcher at PhishMe, said.
Clicking on the link to the ZIP file and then the screensaver file inside launches the malware that encrypts files on the victim's hard drive. PhishMe estimates that victims have had as many as 20,000 files encrypted. Files typically affected by such ransomware include documents, archive files, executables and JPEGs.
Once executed, the malware launches a page on the victim's default browser, demanding that $500 in Bitcoins be deposited in the criminals' electronic wallet. Failing to do so after a certain amount of time leads to the ransom doubling to $1,000.
Based on an examination of three of the attackers' wallets, the scammers have collected at least $62,000, Tokazowski estimates. The ransom demand and payment transactions are conducted over the Tor anonymity network.
The attack does not exploit a vulnerability on Dropbox. Dropbox said in an emailed statement that it was aware of the phishing scam and would "revoke the ability to share links from accounts that violate our Acceptable Use Policy."
PhishMe discovered the scam after its own employees received the phishing emails, Tokazowski said. Almost 20 of the company's 50 employees received the messages.
PhishMe does not believe it was directly targeted in the campaign, but was just one of many companies whose employees might have received the emails.
"There's been no evidence that they (the attackers) have been specifically going after us," Tokazowski said.
To avoid becoming a victim, companies should advise employees to be wary of downloading ZIP files and emails like the ones described above that have no recognizable sender.