Two-stage Dropbox spear phishing

Cybercriminals prey on corporate credentials by sending phishing links through Dropbox after priming the victim.

Two-stage Dropbox spear phishing

Phishers are increasingly using sophisticated targeted attacks. In addition to leveraging a variety of legitimate online services, they employ social engineering to trick the victim into following a link. We recently uncovered another in a series of unconventional multi-stage phishing schemes that merits at least a warning to employees who handle financial documents.

The first email

The attack begins with an email to the victim that appears to be from a real auditing firm. In it, the sender says that they tried to send an audited financial statement, but it was too large to email, so it had to be uploaded to Dropbox. Note that the email is sent from a real address on the company’s mail server (the attackers most likely hijacked the mailbox).

Email from auditing firm

The first email from an “auditing firm” is intended to soften up the victim

From the perspective of any mail security system, this email is perfectly legitimate – indistinguishable from normal business correspondence. It contains no links, comes from a legitimate company address, and merely informs the recipient of a failed attempt to send an audit via email. This message is bound to get the attention of the accountant reading it. It contains a disclaimer that the content is confidential and intended solely for the recipient, and the company in whose name it was sent has a large online presence. All in all, it looks pretty convincing.

The only small red flag is the information that the report had to be resent using Dropbox Application Secured Upload. There is no such thing. A file uploaded to Dropbox can be password-protected, but nothing more. The real purpose of this phrase is presumably to prepare the recipient for the fact that some form of authentication will be required to download the report.

The second email

Next comes a notification directly from Dropbox itself. It states that the auditor from the previous email has shared a file called “audited financial statements” and asked that it be reviewed, signed, and returned for processing.

Dropbox notification

A perfectly normal Dropbox notification stating that a file has been shared with the recipient

There is nothing suspicious about this email either. It contains a link to a perfectly legitimate online data storage service (which is why they use Dropbox). If the notification had arrived without any accompanying message, it would most likely have been ignored. However, the recipient has been primed, so they are more likely to go to the Dropbox website and try to view the document.

Dropbox file

When the victim clicks the link, they see a blurred document and a window opens on top of it requesting authentication using office credentials. Here, however, seeing is not believing, for both the blurred background and the window with a button are in fact parts of a single image inserted into a PDF file.

PDF file uploaded to Dropbox

PDF file uploaded to Dropbox that mimics an authentication request

The victim doesn’t even need to click the VIEW DOCUMENT button – the entire surface of the image is essentially one big button. The link underneath it leads (via an intermediate site with a redirect) to a script that launches a form to enter login credentials – just what the attackers want.

All company employees need to be aware that work passwords should only be entered on sites that clearly belong to their company. Neither Dropbox nor external auditors should know your work password and therefore cannot verify its authenticity.

How to stay safe

As attackers come up with ever more sophisticated schemes to steal corporate credentials, we recommend implementing solutions that provide information security on multiple levels. First, use corporate mail server protection, and second, install a security solution with reliable anti-phishing technologies on all internet-facing work devices.