A convincing Dropbox scam was recently identified by Symantec, which is concerning because it encourages users to use their credentials from other services to log into the fake Dropbox page. Similar to when a comment box or application allows you to sign in using either your Gmail or Facebook account, this scam works to not only harvest Dropbox credentials, but also many other popular web-based email services.
This shows attackers widening their scope and reach while limiting effort and resources to do so - just one spoofed login page may allow them to harvest credentials across more than one service, increasing the likelihood of their breach success. And, it can increase their chances of finding a pair of credentials that have been duplicated across other services, like online banking.
The Dropbox phishing email claims that a file is either too big to be delivered via email, or requires that a user to log into their account for security reasons. A link in the email redirects them to a fake page hosted on Dropbox’s domain, served over SSL. Credentials are then sent to a PHP script on a compromised web server. They’re submitted via SSL in order to avoid prompting any security alerts, according to SCMagazine.com. That means avoiding the classic Windows security prompt that asks if you’re sure you want to send your info over an unencrypted connection.
Learn How to Phish
Setting up convincing spoofed pages is quite easy, as a hackw0rm blog post explains in How to Create Phishing Pages of Social Sites and Steal Password. As Viv Ek details, you need just a bit of basic knowledge, including:
Basic knowledge about HTML (Hyper Text Markup Language)
Basic of How Web Applications Work
Basic knowledge in PHP (Not Recommended)
Little about Hosting Files on WWW
Essentially, you can save an HTML file of a login page in its entirety (like Gmail), then mess with its code using a plaintext editor. Using just 5 lines of PHP code to you can effectively steal passwords, save them to a log file, and then redirect users after in order to avoid suspicion or detection.
It’s dead simple, and I’m pretty sure anyone could set it up with extremely minimal technical knowledge (they even give you lines of PHP code to copy + paste), making these social engineering attacks quick to setup. With a little more work, as the Dropbox scam shows, you can make it even more convincing. It also explains why phishing campaigns pop up nearly immediately after newsworthy opportunities arise, as seen by the ebola-related phishing scams reported by US-CERT (U.S. Computer Emergency Readiness Team).
Reports of state-sponsored iCloud phishing attempts have arisen in China, prompting Apple to release a security support document on how to verify that your browser is securely connected to iCloud.com, and not redirecting you to a fake login page. While most browsers widely used contain certificate information and security warnings, its said that a more popular browser in China doesn’t.
Naturally, aside from checking certificate information, security warnings and the validity of sender email addresses and website URLs, safeguarding your login accounts with two-factor authentication is another way to prevent the success of an attempted phishing attack.
Learn more about phishing and two-factor solutions, including the new FIDO U2F devices that can help protect you from phishing in:
We’re Joining Google and the FIDO Alliance to Launch Universal 2nd Factor!
Protect Against Google Phishing Emails