Phishing Via Dropbox

0

It’s yet another example of how hackers are utilising legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites — like Dropbox — to send and host phishing material. The legitimacy of these sites makes it nearly impossible for email security services to stop and end-users to spot.

These attacks are increasing, and hackers are using all your favourite productivity sites — Google, Dropbox, QuickBooks, PayPal and more. It’s one of the cleverer innovations we’ve seen, and given the scale of this attack thus far, it’s one of the most popular and effective.

In this attack brief, Check Point Harmony email researchers will discuss how hackers are using social engineering with a Dropbox domain, designed to elicit a user response and hand over credentials.

Attack

In this attack, hackers are utilising Dropbox documents to host credential-harvesting sites.

  • Vector: Email
  • Type: BEC 3.0
  • Techniques: Social Engineering, Credential Harvesting
  • Target: Any end-user

Email Example

This attack starts with an email that comes directly from Dropbox.

This is a standard email that anyone would receive from Dropbox, notifying them that there’s a document to view.

From there, the user is directed to a legitimate Dropbox page:

Though the content is that of a OneDrive look-a-like page, the URL is hosted on Dropbox.

When you click on “Get Document”, the user is directed to this final page. This is the credential harvesting page.

This is the page that is hosted outside of Dropbox, and where the threat actors want you to click in order to steal your credentials.

Techniques

Business Email Compromise has undergone a pretty rapid evolution.

It was only a few years ago that we were writing about so-called “Gift card” scams. These were emails that pretended to come from a CEO or an executive, asking an underling to purchase “gift cards”. The idea is that the hackers would then use the gift cards for personal gain. These emails typically came from spoofed Gmail address-think CEO@gmail.com, not CEO@company.com.

We might also see impersonation of domains and partners, but these were always spoofs, not the real deal.

The next evolution came from compromised accounts. This may be an internal user compromised, such as someone in finance, or even a partner user compromised. These attacks are even trickier because it comes from a legitimate address. But you might see a link to a fake O365 login page, or stilted language that NLP can pick up on.

But now we have BEC 3.0, which are attacks from legitimate services. NLP is useless here — the language comes directly from legitimate services and nothing is awry. URL scanning isn’t going to work either, since it’s going to direct the user to a legitimate Dropbox or other site.

These attacks are incredibly difficult to stop and identify, for both security services and end-users.

Starting with education is critical. End users need to ask themselves — do I know this person sending me a document?  And even if you do click on the document, the next thing to ask: does a OneDrive page on a Dropbox document make sense?

Asking those questions can help. As can hovering over the URL on the Dropbox page itself.

But that’s asking a lot of the user.

That’s why these attacks are increasing in frequency and intensity.

Check Point researchers reached out to Dropbox to inform them of this campaign on September 18th.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Adopt AI-powered technology capable of analysing and identifying numerous phishing indicators to proactively thwart complex attacks.
  • Embrace a comprehensive security solution that includes document and file scanning capabilities
  • Deploy a robust URL protection system that conducts thorough scans and emulates webpages for enhanced security.

Share.