Dropbox phishing attack
Dropbox have recently shutdown a fake page that was part of an elaborate phishing campaign. This particular campaign was sophisticated in its execution, as Symantec show in a blog post on the phish.
Firstly, a phishing email was sent to the victim. The email contained a link to a Dropbox file. The email text read in part that the file was too big to send via email, or that sending the file via email is not secure. If the user clicks on the link, they are re-directed to a page that is actually hosted on Dropbox. This lends an air of authenticity to the user.
Once the user is directed onto the Dropbox hosted fake page, they are prompted to enter their login credentials. The fake page also has the logos of popular webmail providers. The user is led to believe that they can login using their webmail credentials. This is designed to capture the user webmail credentials, which can then be sent to a hacked server. Once the user has entered their Dropbox (or webmail) credentials they are redirected to the authentic Dropbox login page.
The login page that was hosted on Dropbox used SSL for communications, which adds a further level of sophistication, as the user was not likely to be alerted to any issue from the browser. SSL was used to transmit the login credentials to the hacked server.
According to Symantec, they “reported this phishing page to Dropbox and they immediately took the page down”. The post goes on to say that “Any Dropbox-hosted phishing pages can be reported to [email protected] address.”
This phish was notable in its use of a well-known service (Dropbox in this case), and in looking to extract other credentials such as webmail logins from users. It was also notable for the realism of the Dropbox page, and for utilising SSL to transmit the login credentials to the compromised server. It was a very dangerous phish.