Several weeks ago, I wrote a blog entry about phishing emails using zip files with executable files attached to them. Using PhishMe Reporter, several of our users (yes, we use our own tools internally) successfully identified a new round of phishing, this time using Dropbox links in the body.
This round of phishing contains the following subjects:
• INCOMING FAX REPORT: Remote ID: 385-567-7335 (Figure 1)
• FW: Case – 1045890 (Figure 2)
• Outstanding invoice (Figure 3)
• Payment Advice – Advice Ref:[GB675969802948] / CHAPS credits / Customer Ref:[pay run 29/05/14] (Figure 4)
If a user clicks the link, they are directed to Dropbox where they can download a small zip file which contains an executable masked as an .scr file, or a Windows screen saver file. The “cool” thing is that Windows treats .exe and .scr files the same way, so you simply have to rename an .exe to .scr.
As of the time of writing, the links which were sent to our users have been removed by Dropbox. For those who would like to create signatures, here are the links we received:
If you are performing incident response, here’s a few ways you can spot these:
1. Search by partial subjects. (Numbers can change)
2. Check proxy logs for dropbox patterns similar to “dl.dropboxusercontent[d]com/s/*/*.zip?dl=1&token_hash=*&expiry=*
3. Unknown screen savers executing on endpoints
We were able to recover one of the samples, and the VirusTotal link is here:
If you have seen other variants, let us know @PhishMe!