A burgeoning attack involving Dropbox is making the rounds. In the first two weeks of September, we saw 5,440 of these attacks.
Hackers are using Dropbox to create fake login pages that eventually lead to a credential harvesting page.
It’s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites—like Dropbox—to send and host phishing material. The legitimacy of these sites makes it nearly impossible for email security services to stop and end-users to spot.
These attacks are increasing, and hackers are using all your favorite productivity sites—Google, Dropbox, QuickBooks, PayPal and more. It’s one of the cleverer innovations we’ve seen, and given the scale of this attack thus far, it’s one of the most popular and effective.
In this attack brief, Check Point Harmoney email researchers will discuss how hackers are using social engineering with a Dropbox domain, designed to elicit a user response and hand over credentials.
Attack
In this attack, hackers are utilizing Dropbox documents to host credential-harvesting sites.
- Vector: Email
- Type: BEC 3.0
- Techniques: Social Engineering, Credential Harvesting
- Target: Any end-user
Email Example
This attack starts with an email that comes directly from Dropbox.
This is a standard email that anyone would receive from Dropbox, notifying them that there’s a document to view.
From there, the user is directed to a legitimate Dropbox page:
Though the content is that of a OneDrive look-a-like page, the URL is hosted on Dropbox.
When you click on “Get Document”, the user is directed to this final page. This is the credential harvesting page.
This is the page that is hosted outside of Dropbox, and where the threat actors want you to click in order to steal your credentials.
Techniques
Business Email Compromise has undergone a pretty rapid evolution.
It was only a few years ago that we were writing about so-called “Gift card” scams. These were emails that pretended to come from a CEO or an executive, asking an underling to purchase “gift cards”. The idea is that the hackers would then use the gift cards for personal gain. These emails typically came from spoofed Gmail address-think CEO@gmail.com, not CEO@company.com.
We might also sese impersonation of domains and partners, but these were always spoofs, not the real deal.
The next evolution came from compromised accounts. This may be an internal user compromised, such as someone in finance, or even a partner user compromised. These attacks are even trickier because it comes from a legitimate address. But you might see a link to a fake O365 login page, or stilted language that NLP can pick up on.
But now we have BEC 3.0, which are attacks from legitimate services. NLP is useless here—the language comes directly from legitimate services and nothing is awry. URL scanning isn’t going to work either, since it’s going to direct the user to a legitimate Dropbox or other site.
These attacks are incredibly difficult to stop and identify, for both security services and end-users.
Starting with education is critical. End users need to ask themselves—do I know this person sending me a document? And even if you do click on the document, the next thing to ask: does a OneDrive page on a Dropbox document make sense?
Asking those questions can help. As can hovering over the URL on the Dropbox page itself.
But that’s asking a lot of the user.
That’s why these attacks are increasing in frequency and intensity.
Check Point researchers reached out to Dropbox to inform them of this campaign on September 18th.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Adopt AI-powered technology capable of analyzing and identifying numerous phishing indicators to proactively thwart complex attacks.
- Embrace a comprehensive security solution that includes document and file scanning capabilities
- Deploy a robust URL protection system that conducts thorough scans and emulates webpages for enhanced security
Check Point Customers remain protected against the threats described on this blog while using Harmony Cloud Email & Collaboration Security.
Harmony Email & Collaboration provides complete protection for Microsoft 365, Google Workspace and all your collaboration and file-sharing apps. Email & Collaboration is designed specifically for cloud email environments and is the ONLY solution that prevents, not just detects or responds to, threats from entering the inbox