Cybersecurity researchers from Checkpoint have recently observed a brand new phishing campaign that abuses cloud storage platform Dropbox to get people to click on malicious links.
The campaign is widespread, “nearly impossible for email security services to stop,” and equally difficult for victims to identify, the company said in its report.
Their suggested course of action? A pinch of suspiciousness, and a lot of common sense. In the campaign, the unnamed threat actors create a Dropbox account and host a seemingly benign document. The document looks like a file from OneDrive and has a “view document” button on it, which leads the reader to a third-party host site, hosting the malicious, credential-harvesting page.
A tough ask
When the groundwork has been done, the attackers get to the second part of the plan – distribution. As is the case with practically all cloud services out there, files can be shared directly from the platform. Dropbox is no different. However, by using Dropbox’s own file-sharing system to share the files and notify the recipients, the attackers bypass any email security protection the victim might have set up. At the end of the day – the notification is coming from a reputable source and not someone whose identity needs analysis.
According to Checkpoint’s research, at least 5,440 of such attacks happened in the first two weeks of September, alone. Using email protection services and automated tools to defend from such phishing attacks is a notoriously difficult task, the researchers further explained.
“The legitimacy of these sites makes it nearly impossible for email security services to stop and end-users to spot,” they say. “NLP is useless here—the language comes directly from legitimate services and nothing is awry. URL scanning isn’t going to work either, since it’s going to direct the user to a legitimate Dropbox or other site.”
So, to stay safe, organizations need to educate their employees and train them to be a little suspicious with every email they receive. If they’re getting something from a person they don’t know, or something they aren’t expecting, they should be very careful with opening any attachments or clicking any links. Furthermore, they should carefully analyze the contents of the email and look for inconsistencies: “And even if you do click on the document, the next thing to ask: does a OneDrive page on a Dropbox document make sense?,” they say.
However, employees don’t seem to be that good at playing detective, Checkpoint concluded, saying that the attacks are increasing, both in frequency, and intensity.