A new business email compromise 3.0 attack involving the file hosting service, Dropbox has been discovered by Check Point Research. 

In the first two weeks of September, CPR observed 5,440 attacks, just another example of hackers masquerading behind legitimate sites with the hope of scamming unsuspecting users via social engineering tactics.

Phishing via Dropbox

A burgeoning attack involving Dropbox is making the rounds. In the first two weeks of September, we saw 5,440 of these attacks.

Hackers are using Dropbox to create fake login pages that eventually lead to a credential harvesting page.

It’s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites—like Dropbox—to send and host phishing material. The legitimacy of these sites makes it nearly impossible for email security services to stop and end-users to spot.

"These attacks are increasing, and hackers are using all your favorite productivity sites—Google, Dropbox, QuickBooks, PayPal and more," CPR says.

"It’s one of the cleverer innovations we’ve seen, and given the scale of this attack thus far, it’s one of the most popular and effective."

Techniques

Business Email Compromise has undergone a pretty rapid evolution.

It was only a few years ago that we were writing about so-called “Gift card” scams. These were emails that pretended to come from a CEO or an executive, asking an underling to purchase “gift cards”. The idea is that the hackers would then use the gift cards for personal gain. These emails typically came from spoofed Gmail address-think CEO@gmail.com, not CEO@company.com.

CPR says companies might also see impersonation of domains and partners, but these were always spoofs, not the real deal.

The next evolution came from compromised accounts. This may be an internal user compromised, such as someone in finance, or even a partner user compromised. These attacks are even trickier because it comes from a legitimate address. But you might see a link to a fake O365 login page, or stilted language that NLP can pick up on.

But now we have BEC 3.0, which are attacks from legitimate services. NLP is useless here—the language comes directly from legitimate services and nothing is awry. URL scanning isn’t going to work either, since it’s going to direct the user to a legitimate Dropbox or other site.

These attacks are incredibly difficult to stop and identify, for both security services and end-users, CPR says.

"Starting with education is critical. End users need to ask themselves—do I know this person sending me a document?  And even if you do click on the document, the next thing to ask: does a OneDrive page on a Dropbox document make sense? Asking those questions can help. As can hovering over the URL on the Dropbox page itself," CPR says.

"But that’s asking a lot of the user. That’s why these attacks are increasing in frequency and intensity."

Check Point researchers reached out to Dropbox to inform them of this campaign on September 18th.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

Adopt AI-powered technology capable of analysing and identifying numerous phishing indicators to proactively thwart complex attacks. 
Embrace a comprehensive security solution that includes document and file scanning capabilities. 
Deploy a robust URL protection system that conducts thorough scans and emulates webpages for enhanced security.