According to Checkpoint’s research, a new attack campaign is leveraging Dropbox to send emails that redirect unsuspecting users to credential-harvesting pages.
Business Email Compromise (BEC) campaigns have continuously evolved since researchers first detected it. From gift card scams to emails from compromised accounts, threat actors have tried a wide range of tactics, and now we have BEC 3.0, in which legitimate services are spoofed to lure innocent users.
This new technique is gaining popularity among threat actors, which is a concerning issue because detecting foul play is difficult as the email is sent from a legitimate platform.
The same technique has been used in the new BEC 3.0 campaign discovered by Checkpoint Harmoney email researchers. In this attack, threat actors are exploiting Dropbox. This is an active campaign, with 5,440 attacks detected in the first two weeks of September.
According to Checkpoint’s report, attackers create fake login pages on Dropbox and use them to send emails to unsuspecting users and eventually steal their credentials by redirecting them to a malicious URL. The catch in this attack is the email, which is the standard mail sent by Dropbox notifying the recipient to view a document.
The user is then requested to visit a legitimate Dropbox page. This page is similar to the OneDrive page, but the URL is hosted on Dropbox. The document is available on this page. When users click Get Document, they will be redirected to another page. This page is maliciously designed to steal users’ login credentials.
BEC 3.0 attacks are easier because scammers can exploit legitimate services and deceive users.
“These attacks are increasing, and hackers are using all your favourite productivity sites—Google, Dropbox, QuickBooks, PayPal, and more. It’s one of the cleverer innovations we’ve seen, and given the scale of this attack thus far, it’s one of the most popular and effective,” read Checkpoint’s blog post.
Checkpoint informed Dropbox about this campaign on 18th September. To stay safe, end-users must remain vigilant and check the sender before opening a document or responding to the instructions in the email. In this attack, the fact that a Dropbox document is hosted on a One Drive look-alike page is enough to raise suspicion.
Moreover, researchers urge users to adopt AI-powered technology that can identify phishing indicators and thwart complex attacks. Lastly, a robust URL protection and comprehensive security solution is essential to protect browsers and documents.