Dropbox Themed Phishing Campaign

Leila Sharma

Please be advised of a widely spreading Dropbox themed phishing campaign, the goal of which is to steal credentials. The subject line of these spam messages references a purchase order number, an invoice, or simply requests that recipients open an attachment.

Screenshot of an example phishing message attaching a PDF file entitled "PO#78547", with the text of the email message reading "Find Attached invoice. Thanks, Billing Department".

 

Once the attachment is opened, users may receive the following:

Screenshot showing the Dropbox logo and a message stating "Your system firewall rules have stored files online" followed by a link "SHOW RECEIVED DOC HERE"

 

Users who click on the embedded link are redirected to a compromised site which hosts a credential phishing kit.

  • Please note that the URL displaying in the browser’s address bar may be shortened via bit.ly to hide the actual URL of the compromised site. To preview the destination of a Bitly.com URL, add a plus symbol to the end of a shortened link. For example, you can preview the destination of bit.ly/1bhjUN8 with bit.ly/1bhjUN8+ and be directed to a preview page on Bit.ly com with information about the shortened link.

Users are then prompted to select a verification type, and enter a username/password. In some cases, an account recovery phone number and email address are also requested.

Screenshot displaying a logo for "Dropbox Business" stating "Verification Required" and requesting the selection of your email provider and a login. The list of providers includes Gmail, Outlook, Other, Office 365, AOL and Yahoo.

 

After the requested information is entered and credentials are captured, users are redirected to the legitimate Dropbox page.