In recent months, there has been a noticeable surge in cyber-criminals using Dropbox to deliver malware and to hide attacks so they can bypass antivirus software and fool recipients into opening malicious links and attachments. While ubiquitous software like Dropbox has always been popular amongst the maliciously-minded, this recent string of attacks undoubtedly highlights an increase in the popularity of Dropbox among cyber-criminals.
So what has happened to make Dropbox such an attractive tool to cyber-criminals? And, most importantly, what steps can an organization take to ensure it does not fall victim to a Dropbox phishing attack?
Dropbox Phishing Trends
Cyber-criminals are constantly looking for innovative ways to trick their victims.
For example, hackers will send out emails that contain a link to Dropbox. The emails typically are about unpaid invoices or bills; however, when users clicked the link, they are directed to Dropbox where they download a small zip file which contains malware – Cryptowall.
Cyber-criminals have also utilized Dropbox as a means to attack the Taiwanese government. Attackers targeted a government agency using a very interesting remote access trojan (RAT) known as PlugX. In the attacks, cyber-criminals used Dropbox as a side channel, allowing the RAT to update configurations over Dropbox and making discovery of the infection even harder.
The fact that Dropbox was playing a key role in a successful nation-state attack goes to show exactly how much of a threat the software poses to organizations.
These are just two examples of campaigns. Cyber-criminals are constantly evolving their attacks to make them more successful which means users must be extra vigilant.
Safeguarding Against Dropbox Phishing
Despite the sophistication and research that goes into Dropbox phishing emails, it is possible for organizations to avoid becoming a victim. The key to defence is user engagement and understanding.
There are a number of typical tell-tale signs, both in terms of the sender and the content that could potentially characterize a Dropbox phishing email. Organizations that are worried about Dropbox phishing should encourage staff to ask some simple questions.
Firstly, think about who is sending the message. Does the recipient know the sender? Is it the email address they would normally use? For example, an email purporting to be from the CEO, but sent from a Gmail account, should always ring alarm bells.
Is the message expected and does it seem genuine? For example, would this sender usually encourage clicking on a link? Banks often don’t use these in messages for that very reason.
And if goods haven’t been ordered, then an email from UPS advising that a shipment is being held is unlikely to be genuine.
If all the above seems fine then the content of an email should be scrutinized.
One of the most basic reasons that phishing attacks work is that they prey on a user’s emotional response – fear, curiosity or reward. Emails that evoke strong feelings such as these should be considered triggers.
Is the message too good to be true? If it claims the person has won an iPad in a company raffle, and they haven’t bought any tickets or the company doesn’t even hold raffles, then the chances are they haven’t.
Additionally, consider if the email is specific to the recipient. Does it make sense? Although criminals have a lot of information about individuals, they will still keep any messages generic to pique the interest and make the user take action.
Perhaps it would be normal for the IT support company to request clicking a link to install a software update but, if it isn’t, then alarm bells should ring. And, if it is a link, is it an identifiable IP address or is someone trying to appear genuine when actually the link directs to a false site?
Finally, while grammar has improved in recent years, mistakes are often an indicator that all is not as it seems.
By routinely reminding users of the need for caution when clicking links or opening attachments and encouraging staff to pay attention to all emails they open, the risk of being Dropbox-phished will be significantly reduced. Emails sent from unknown senders should always be verified with a phone call before opening any links, and if something looks a bit phishy, the chances are it is.
About the Author
Ronnie Tokazowski is senior researcher at PhishMe. He has experience in APT malware analysis, network forensics and cryptanalysis. Prior to PhishMe, Ronnie worked as a malware analyst for BAE Systems where he specialized in reverse engineering APT malware. He is an accomplished penetration tester with experience performing black box security audits using custom-written exploit code. Ronnie has presented at MIRcon and numerous times at NoVA Hackers on topics ranging from techniques to analyzing malware, unbreakable cryptography, and Raspberry Pi.