A concerning rise in cyberattacks involving Dropbox has caught the attention of the cybersecurity community. In just the first two weeks of September, an astonishing 5,440 of these attacks were detected, highlighting the significant scale of this threat.
Hackers have cleverly utilized Dropbox as a tool to create fake login pages, leading unsuspecting victims to credential-harvesting websites. This tactic represents a new version of Business Email Compromise (BEC) attacks, which experts are calling BEC 3.0. The use of legitimate platforms like Dropbox to send and host phishing materials has made it incredibly challenging for email security services to detect and for end-users to recognize the threats.
These attacks have been on the rise, with hackers utilizing various productivity sites, including Google, Dropbox, QuickBooks, PayPal, and more, as their battlegrounds. This innovative phishing tactic has proven to be highly effective and is rapidly gaining popularity among cybercriminals.
Let’s take a closer look at how these attacks unfold. In this particular attack, hackers employ Dropbox documents to host websites specifically designed for credential harvesting. The attack vector is email, and the type of attack is categorized as BEC 3.0. The techniques involved include social engineering and credential harvesting, targeting any end-user.
The attack starts with an email that appears to be from Dropbox, notifying the recipient that there is a document to view. The email is designed to look standard and does not immediately raise suspicion. When the recipient clicks on the email, they are directed to a Dropbox page. Although the content mimics a OneDrive login page, the URL clearly indicates that it is hosted on Dropbox.
Upon clicking “Get Document,” the user is then redirected to the final page, which is the credential harvesting page. This page is hosted outside of Dropbox and is where threat actors aim to steal user credentials.
The evolution of Business Email Compromise attacks is noteworthy. It began with simple “gift card” scams and impersonation of domains and partners. However, it has now evolved to BEC 3.0, where attacks are executed through legitimate services, making them exceptionally challenging to detect.
These attacks pose immense difficulties in terms of detection and identification for both security services and end-users. Traditional indicators of phishing, such as unusual language or spoofed domains, no longer apply when the attacks originate from legitimate services.
To combat these threats, education and vigilance among end-users are crucial. Individuals should question the authenticity of emails and consider whether they expect to receive a document from the sender. Hovering over URLs to inspect their destination can also help in identifying potential threats.
Security professionals can play a vital role in guarding against these attacks by adopting AI-powered technology capable of analyzing and identifying numerous phishing indicators. Implementing comprehensive security solutions with document and file scanning capabilities is also recommended. Furthermore, deploying robust URL protection systems for thorough scans and emulation of webpages can greatly enhance security.
In response to these emerging threats, Check Point researchers have taken proactive steps by reaching out to Dropbox to inform them of this campaign. It is essential for individuals and organizations to stay updated on the evolving techniques used by cybercriminals and to implement the necessary security measures to protect against these attacks.