Dropbox used for Phishing expedition

Criminals are hosting elements needed for the scam on the file share service directly

dropbox phishing

Dropbox's file storage service was used for a phishing attack, although the service quickly shut it down, Symantec said.

Credit: Screenshot/Symantec

Symantec says they've recently uncovered a Phishing scam targeting Dropbox users, where many of the elements needed to complete the scam are being hosted on Dropbox directly. Such a move helps lower resistance and bypass some network defenses.

Each day, millions of Phishing messages propagate across the Web, but on Friday Symantec spotlighted one campaign targeting Dropbox users. The scam itself starts with an email containing the subject of "important" and warns the potential victim that they've gotten a file attachment that's too big to deliver.

Given the delivery restrictions, the recipient is asked to follow a link and download the file directly. Once the page is loaded, they're presented with a fake Dropbox login page, which is hosted on Dropbox itself.

"The fake login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing," Symantec's Nick Johnston explained.

"The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well."

The credentials that are entered into the form are sent to a compromised Web server via a simple PHP script. Interestingly, these credentials are sent over SSL, which will trigger a browser warning about mixed content. Once the process is complete, the victim is forwarded to the legitimate Dropbox login page.

"The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications," Johnston explained.

Earlier this year, criminals used shortened URLs to point victims to Phishing domains that requested several types of credentials, much like the campaign Symantec detected on Friday.

A single landing page requested AOL, Gmail, Yahoo, Windows Live, or – if they wish – any other account via an option labeled "Other emails." The landing pages were designed to mimic Facebook, Microsoft's OneDrive, or Google Docs, despite the service re-launching under the brand name Google Drive.

Shortly after that incident, PhishMe discovered a campaign that encouraged users to download a CryptoLocker variant that was being hosted on Dropbox at the time. Based on financial trail left by the criminals behind this incident, the scam netted them about $62,000 USD.

The attack that was detected by Symantec last week has been shut down, but administrators are encouraged to report similar Dropbox related schemed to abuse@dropbox.com

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.