Phishing and file sharing are Wall of Shame bait
Internet thieves have long used file sharing sites and services to host their malicious files. When they do this, they typically use the underlying service to generate download links that anyone can click without logging in to the hosting service. Makes sense when you’re blasting out thousands upon thousands phishing emails with malicious links. You want to set the table for a feast, not an intimate dinner for two.
The other thing the bad guys typically do, however, is generate their own emails instead of using the underlying hosting service to deliver their malicious links to a wide audience. Doing so reduces the chances that the service notices something is amiss (like mass spam deluges erupting from their own servers) and provides more flexibility to tailor the social engineering hook in the message body.
We’ve seen plenty of services abused like this: WeTransfer, Dropbox, Google Drive, etc. The hosting services eventually yank the malicious files and the links go dead.
The less imaginative and industrious among the bad guys, of course, don’t even bother trying to host and distribute their malicious files via legitimate online services. They simply spoof services like Dropbox and Docusign in phishing emails, some more skillfully designed than others. Even when done well, though, such phishes are comparatively easy to spot because the embedded links don’t point to Dropbox or Docusign.
Here’s a typical spoofed Dropbox phish:
There are no such problems with a new round of phishing emails we recently encountered.
Phishing users from the inside
Over the past month we started noticing apparently legitimate Dropbox emails pushing links to files with names suspiciously similar to those routinely used by the bad guys. When we clicked the links to check, however, we were greeted with a demand to log in to the service. That’s typically been a sign that the files involved were legit.
Still, something wasn’t right here. Given the file names presented, we reckoned there was little chance those files were innocuous. So, we decided to log in to Dropbox and check if our hunch was correct. It was.
We spotted a seven Dropbox emails all pushing the same file.
The Wall of Shame
We were also interested to learn that we were not the first to visit to that malicious PDF on Dropbox. Look at the Comments section on the right of that PDF download page.
A calculated decision
So, the bad guys made a calculated decision here: abandon the publicly accessible download links; use Dropbox itself to deliver the links via official Dropbox email notices; then require users to log in to Dropbox. And do it all from a Dropbox account that is undoubtedly compromised.
In doing so, the bad guys undoubtedly narrowed the potential audience for their malicious files (not everyone will have a Dropbox account). But they gained the advantage of camouflaging their malicious links behind Dropbox itself. They got phishing emails that look credible to users (they’re from Dropbox itself), and they reduced the chances that link checkers (now widely used in hosted services like Office 365 and Proofpoint, to mention but two) will be able to follow and identify the malicious links.
And, of course, they also get to enjoy good belly laugh from the spectacle of all those gullible marks outing themselves on Dropbox.
—
Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame. Cyber Safety Net – keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.