Incident Response, TDR

Fake Dropbox login page nabs credentials, is hosted on Dropbox

An email with the subject “important” tells recipients that they must sign into Dropbox in order to view a document too big to be sent via regular email, but clicking on the link included in the message brings people to a fake Dropbox login page that is actually hosted on Dropbox.

The fake login page is hosted on Dropbox's user content domain, is served over SSL, and entered credentials are sent to a PHP script on a compromised web server and are also submitted over SSL, according to a Friday Symantec post, which explains that not sending credentials over SSL would prompt a security warning.

The PHP script redirects victims to the real Dropbox login page after their usernames and passwords are entered, the post indicates, adding that it is not just Dropbox credentials the attackers are going after; the phony login page includes logos for popular web-based email services, implying that recipients can use those credentials to log in, as well.

Setting up these types of pages is worryingly easy, Nick Johnston, principal software engineer with Symantec, told in a Monday email correspondence, explaining that attackers merely have to copy a Dropbox or similar login page. There are even tools that can help, he added.

“They need to change the login page to post to their own script, which could be a simple PHP form to email script,” Johnston said. “Based on phishing kits that we've seen, this script could be as short as 20 lines of code. To actually send out messages, they could use various bulk mailer tools which we commonly see hosted on compromised servers.”

The attackers did not serve up certain resources on the page – such as images or style sheets – over SSL, according to the post, which explains that using non-SSL resources on a page served over SSL prompts warnings in newer versions of certain browsers.

“Based on the stats we have, it doesn't look like there's much geographic targeting being used here,” Johnston said. “The scam was sent to our customers in Australia, U.S. and UK to give just a few examples.”

It is not clear who the attackers are because most phishing spam comes from compromised machines that are part of a botnet, or from those who use falsified IP addresses to remain anonymous, Johnston said, adding that “the messages were largely sent from Gmail, who do not include the X-Originating-IP header in messages,” thus making it difficult to determine the source of the messages.

Symantec notified Dropbox and the company took the page down immediately. Johnston said that attackers like to target services such as Dropbox because it has global reach, and that there is a better chance that random recipients of phishing emails will be users of the service.

Threats like this puts Dropbox in a difficult position, since file sharing is such a useful feature of the service, Johnston said.

“My view is that there's a lot more that Dropbox could do to detect abuse, but perhaps it isn't a priority for them,” Johnston said. “I certainly don't want to call them out as negligent though. I think the key message is that as cloud services like this grow in popularity, they will attract abuse, and providers need robust strategies in place for dealing with this. Abuse is inevitable.”

Dropbox abuse can be reported to ‘abuse@dropbox[dot]com,' and Johnston advised enabling two-factor authentication, as well as being careful when presented with emails asking for credentials, in order to defend against these types of scams.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.