Confidential business documents such as contracts, legal documents and finance records are commonly passed on from one recipient to another via email, and cybercriminals often use these as trojan horses to deliver malicious attacks.
MailGuard has intercepted a phishing email scam spoofing Dropbox, a popular file sharing and collaboration platform among business. The malicious emails use a display name of “Dropbox”, and are sent from scammers using compromised Dropbox email accounts.
The email body contains the Dropbox logo and is designed to look like an official notification from the file-sharing platform. It informs the recipient that a file titled “PO.PDF” was sent using Dropbox Transfer, and that this file will expire within 6 days.
Here is what the email looks like:
Unsuspecting recipients who click on the link to view file are led to a page hosted on the Dropbox domain. This page looks like a legitimate page from Dropbox, complete with high-quality branding elements and links to Dropbox support pages, as per the below:
Clicking the button to “Download” initiates the download of a .PDF that contains the Office 365 logo. Users are informed that “a document has been sent through OneDrive” and are advised to click the “Access Document” button to view it.
Clicking the link to access document then takes users to a phishing page hosted on Google Docs titled “OneDrive”. Here, users are told to “sign in” to their email accounts to view the document:
Upon “logging in”, users are finally told that their download “has automatically been saved” to their “Onedrive folder”.
MailGuard urges all recipients of this email to delete it immediately without clicking on any links. Interestingly, it is the downloaded PDF, rather than the email that contains malicious links to the phishing page hosted on Google Docs – a technique employed intentionally to bypass email security filters.
Several techniques have been employed in this particular email to look like a genuine notification, including the usage of high-quality graphical elements in the phishing page, such as Dropbox’s branding & logo. All this serves to elicit a more confident response from recipients who think they are, in fact, viewing a document from the popular file-sharing cloud platform.
This email also attempts to intrigue; telling the recipient that a new PO has arrived creates a sense of curiosity. This motivates the recipient to click on the provided link right away, distracting them from checking the sending address of the email and looking out for any other errors.
Cybercriminals frequently exploit the branding of global companies like Dropbox and Office 365 in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Their established brand helps convince recipients that the files being shared via this email are secure. Since the Dropbox service requires users to click a link to view, edit or download files, they are a convenient trojan horse for malicious attacks like this one and may not raise any alarm bells.
The Australian Cyber Security Centre also identified Dropbox and OneDrive as brands being spoofed in a cyber-attack that is targeting Australian public and private sector organisations. Prime Minister Scott Morrison revealed in a briefing this morning that the cyber-intrusion was conducted by "a sophisticated state-based cyber actor".
Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that the domain in the PDF doesn’t belong to Office 365.
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.
Phishing continues to be one of the most prevalent forms of cyber-crime. The vast majority of online scams - more than 90% - are perpetrated using email, so it’s wise to always be skeptical of messages from unfamiliar senders asking you to log into your accounts
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Don't get scammed
If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff. Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.
People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.