Beware of phishing emails using Dropbox links

Share Now

Facebook
Twitter
LinkedIn

Several weeks ago, I wrote a blog entry about phishing emails using zip files with executable files attached to them. Using PhishMe Reporter, several of our users (yes, we use our own tools internally) successfully identified a new round of phishing, this time using Dropbox links in the body.

This round of phishing contains the following subjects:

• INCOMING FAX REPORT: Remote ID: 385-567-7335 (Figure 1)
• FW: Case – 1045890 (Figure 2)
• Outstanding invoice (Figure 3)
• Payment Advice – Advice Ref: / CHAPS credits / Customer Ref: (Figure 4)

Figure-12
Figure 1 – Incoming Fax Phishing Email
Figure-22
Figure 2 – Case Phishing Email
Figure-32
Figure 3 – Outstanding Invoice Phishing Email
Figure-42
Figure 4 – Payment Advice Phish

If a user clicks the link, they are directed to Dropbox where they can download a small zip file which contains an executable masked as an .scr file, or a Windows screen saver file. The “cool” thing is that Windows treats .exe and .scr files the same way, so you simply have to rename an .exe to .scr.

As of the time of writing, the links which were sent to our users have been removed by Dropbox. For those who would like to create signatures, here are the links we received:

First wave:https://dl.dropboxusercontentcom/s/yxkpsv2u9rojc7v/IncomingFax.zip?dl=1&token_hash=AAFxJoNOFLgF6sxYRtAFpgDaJQiaKr5ocZdOotZoZgs2DQ&expiry=1401290661

Following waves:
https://www.dropboxcom/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJ6emxtYmZyZW5semM0NmIifQ/AAKOmEPRrDxar2ysy1lcKAvsAyiKSx8ZtioJALEtYP_XcQ?dl=1

Directed to:
https://dl.dropboxusercontentcom/s/zzlmbfrenlzc46b/Payment_65216.zip?dl=1&token_hash=AAGJDkzoB2JCZ-qXYWynjWMWygSkQBTO9CC52EbsveehHg&expiry=1401397274

If you are performing incident response, here’s a few ways you can spot these:

1. Search by partial subjects. (Numbers can change)
2. Check proxy logs for dropbox patterns similar to “dl.dropboxusercontentcom/s/*/*.zip?dl=1&token_hash=*&expiry=*
3. Unknown screen savers executing on endpoints

We were able to recover one of the samples, and the VirusTotal link is here:

https://www.virustotal.com/en/file/d3074a4fcc46c91d1d489726f6ec51c11af84ae4224c07561cc79cc0ae1c6423/analysis/1401393751/

If you have seen other variants, let us know @PhishMe!

Read More Related Phishing Blog Posts

Search

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.