Phishing with a Dropbox Business Login Micheal Goodwin October 24, 2017

Phishing with a Dropbox Business Login


According to Merriam-Webster Dictionary, Phishing is “a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly”.

Recently we encountered a really “nice” looking Dropbox Business phishing page that prompts users to select their mail provider and enter their credentials to authenticate against a Dropbox Business account.

How Does This Phishing Attempt Work?

To get to this Dropbox Business themed phishing page (And don’t do this):

  1. Open the compromised email, likely from a friend or business associate, with a PDF attachment saying it is a Dropbox file they want to share. The email will actually come from that friend/associate as they have already given their credentials in this phishing attempt and the scammer used them to send this email to everyone in their contact list.
  2. Click the link in the PDF file. The PDF file itself is not infected and will likely bypass anti-virus and anti-phishing scanners. The link in the PDF is dressed nicely in Dropbox imagery and is closely modeled after a legitimate Dropbox share. However, if you hover over the link and examine the hidden URL, you will find that it looks very suspicious. It likely makes no mention of Dropbox or it has a close but no cigar variation of dropbox-dot-com. The PDF link will actually take you to a compromised website or a site put up specifically for phishing that is intended to harvest your email credentials.
  3. Select your email provider and enter your credentials. DON’T DO THIS! The Dropbox Business phishing page is very well done and looks convincing; but looking at it more carefully you will notice a couple of things with this and most phishing attempts:
  • The web page address makes no sense. Again, it isn’t dropbox-dot-com related.
  • The web page is not secured as indicated by your browser bar. These days you can’t sneeze without it being encrypted so a login page with no security — especially from a big company like Dropbox — does not add up.

What Happens If I Gave My Credentials in This Phishing Scam?

This particular phishing scam uses your harvested credentials to spread itself. Armed with the username and password to your email account, the scammers use a script to access your mailbox and send a new phishing email to all of your contacts.

It also creates an Inbox Rule in your mail client which automatically deletes replies to this email so that you will not see returned email, out of office replies, or confirmation emails from your contacts asking if the email is legitimate.

The icing on the cake . . . it then deletes all your contacts making it even tougher on you to contact your friends and associates once you realize you have been compromised.

What to Do If You Suspect You Were Phished?

Depending upon what information you were duped into providing, you have different options as to how to proceed if you were phished.

If it was credit card information, bank or financial information, social security numbers, or other information that cannot be easily changed, contact your bank/provider/entity security and fraud department and ask for their assistance.

If it was credentials that you can change, like with your email account . . . CHANGE THEM IMMEDIATELY.

If you are able to change your login information before the phishing scam tries to use your mailbox, they will be unable to authenticate and you may see security alerts that your email account has unauthorized access attempts.

If you discover that the emails have already been sent out, you should attempt to contact all your contacts telling them your email account was hacked and TO NOT OPEN any links or attachments you recently sent. This will be difficult with your contacts deleted by the phishing scam but hopefully you have a backup of those contacts or an alternate method, like interoffice email, to let others know.

How Do I Protect Myself from Phishing?

Phishing attempts evolve so quickly that they are sometimes undetected by antivirus or URL monitoring solutions until they have been “in the wild” for some time. Of course you need the usual array of antivirus software and web filtering to protect yourself, but the best defense is YOU.

To Protect Yourself from Phishing:

  • Hover over links and consider if the hidden URL matches what you expect or if it makes sense
  • Suspect attachments in emails, particularly if you did not expect them
  • Contact suspicious email senders directly to confirm the messages’ legitimacy
  • Implement a Phishing training program to educate employees and users
  • Test employees and users with Phishing email campaigns