Phishing and file sharing are Wall of Shame bait

Internet thieves have long used file sharing sites and services to host their malicious files. When they do this, they typically use the underlying service to generate download links that anyone can click without logging in to the hosting service. Makes sense when you’re blasting out thousands upon thousands phishing emails with malicious links. You want to set the table for a feast, not an intimate dinner for two.

The other thing the bad guys typically do, however, is generate their own emails instead of using the underlying hosting service to deliver their malicious links to a wide audience. Doing so reduces the chances that the service notices something is amiss (like mass spam deluges erupting from their own servers) and provides more flexibility to tailor the social engineering hook in the message body.

We’ve seen plenty of services abused like this: WeTransfer, Dropbox, Google Drive, etc. The hosting services eventually yank the malicious files and the links go dead.

The less imaginative and industrious among the bad guys, of course, don’t even bother trying to host and distribute their malicious files via legitimate online services. They simply spoof services like Dropbox and Docusign in phishing emails, some more skillfully designed than others. Even when done well, though, such phishes are comparatively easy to spot because the embedded links don’t point to Dropbox or Docusign.

Here’s a typical spoofed Dropbox phish:

dropbox-spoofed-1
The link in that malicious email leads to spoofed Dropbox download page:

dropbox-spoofed-2
Worse, the bad guys often screw up the format of the email, occasionally even using the wrong corporate logos  — e.g., shoehorning Google, Adobe, or Microsoft logos into spoofed Dropbox emails, as in the email above. HTML gods they are not.

There are no such problems with a new round of phishing emails we recently encountered.

Phishing users from the inside

Over the past month we started noticing apparently legitimate Dropbox emails pushing links to files with names suspiciously similar to those routinely used by the bad guys. When we clicked the links to check, however, we were greeted with a demand to log in to the service. That’s typically been a sign that the files involved were legit.

Still, something wasn’t right here. Given the file names presented, we reckoned there was little chance those files were innocuous. So, we decided to log in to Dropbox and check if our hunch was correct. It was.

We spotted a seven Dropbox emails all pushing the same file.

dropbox-1
So, we logged in to Dropbox to check the file. As suspected, the file was a malicious PDF of the type usually delivered as an attachment to phishing emails.

dropbox-2c
The link in that PDF opens a spoofed Microsoft login page hosted on a rather shady domain.

dropbox-3
But there was something else we noticed.

The Wall of Shame

We were also interested to learn that we were not the first to visit to that malicious PDF on Dropbox. Look at the Comments section on the right of that PDF download page.

dropbox-2d
Yep, there they are. Gullible users advertising themselves as having fallen for the ruse and helpfully providing their email addresses so the bad guys can send them still more malicious files.

A calculated decision

So, the bad guys made a calculated decision here: abandon the publicly accessible download links; use Dropbox itself to deliver the links via official Dropbox email notices; then require users to log in to Dropbox. And do it all from a Dropbox account that is undoubtedly compromised.

In doing so, the bad guys undoubtedly narrowed the potential audience for their malicious files (not everyone will have a Dropbox account). But they gained the advantage of camouflaging their malicious links behind Dropbox itself. They got phishing emails that look credible to users (they’re from Dropbox itself), and they reduced the chances that link checkers (now widely used in hosted services like Office 365 and Proofpoint, to mention but two) will be able to follow and identify the malicious links.

And, of course, they also get to enjoy good belly laugh from the spectacle of all those gullible marks outing themselves on Dropbox.

Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame. Cyber Safety Net – keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.