Phishing campaign via Dropbox exploits SSL of the popular cloud service

Experts at Symantec have detected a scam based on Dropbox accounts to serve phishing pages over secure communication channels.

Recently a massive data leakage has interested DropBox, a week ago a guest account post on Pastebin four different documents, all claiming to be part of “the massive hack of 7,000,000 accounts”. The author also anticipated that there are “More to come” inviting all the users interested in the data to make a Bitcoin payment to him.

Other sources report that the data leak apparently surfaced on this Reddit thread, where some Reddit users who have tested the credentials have confirmed that many of them still work.  Reading the comments it seems that Dropbox in response to the data leakage has reset all the accounts listed in the Pastebin, anyway the company denies it suffered a data breach.

But for DropBox users, there is no peace, according to the experts at Symantec they are targeted by phishing scam hosted on Dropbox. The security researchers at Symantec discovered a fake Dropbox login page used by threat actors to steal credentials for popular email services.

In reality cyber criminals are also targeting other services on the Internet, including web-based email service, deploying a fake log-in page on the file sharing website, taking advantage of its secure protocol.

The attack scheme implemented by cyber criminals is ingenious and take advantage of the recent incidents occurred to DropBox to maximize its efficiency.

According to a classic phishing schema, the victims receive an unsolicited email with a subject that inform them that are potential victims of the data breach. The Subject of the email includes the word “Important” to trick victims, the email informs the victims that a large file containing the credentials of victims can be viewed only over Dropbox. Once the victim clicks on the link in the email he is redirected to a fake Dropbox login page where he is asked for Dropbox credentials.

The attackers exploit the fact that the fake Dropbox page is that it is served over SSL and the page reproduces exactly the DropBox page, the victims have the perception to be on the legitimate Dropbox page.

“The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well.” states the blog post published by Symantec.

Anyway, some of the resources present on the page are not sent using the SSL protocol (e.g. Images) causing some browser to show warnings to the user. The warnings are displayed in different ways by web browsers, in some cases, they could go unnoticed by the victims, for example, some browsers continue to show the padlock symbol in the address bar but with a different icon. In the specific case the credentials were sent to a PHP script on a compromised server.

“The fake login page is hosted on Dropbox’s user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing,” states the report.

The case is not new, late in August I have already written about the abuse of Dropbox service for phishing activity. In July, experts at Micro analyzed a targeted attack against a Taiwanese government entity which used a variant of the PlugX RAT that abuses the Dropbox service.

Symantec has already reported the phishing activity to Dropbox that immediately took page the account used by the bad actors down.

Pierluigi Paganini

(Security Affairs – Dropbox, Phishing)