The attackers included logos for popular web-based email services, implying recipients can use those credentials to log in.
The attackers included logos for popular web-based email services, implying recipients can use those credentials to log in.

An email with the subject “important” tells recipients that they must sign into Dropbox in order to view a document too big to be sent via regular email, but clicking on the link included in the message brings people to a fake Dropbox login page that is actually hosted on Dropbox.

The fake login page is hosted on Dropbox's user content domain, is served over SSL, and entered credentials are sent to a PHP script on a compromised web server and are also submitted over SSL, according to a Friday Symantec post, which explains that not sending credentials over SSL would prompt a security warning.

The PHP script redirects victims to the real Dropbox login page after their usernames and passwords are entered, the post indicates, adding that it is not just Dropbox credentials the attackers are going after; the phony login page includes logos for popular web-based email services, implying that recipients can use those credentials to log in, as well.

Setting up these types of pages is worryingly easy, Nick Johnston, principal software engineer with Symantec, told SCMagazine.com in a Monday email correspondence, explaining that attackers merely have to copy a Dropbox or similar login page. There are even tools that can help, he added.

“They need to change the login page to post to their own script, which could be a simple PHP form to email script,” Johnston said. “Based on phishing kits that we've seen, this script could be as short as 20 lines of code. To actually send out messages, they could use various bulk mailer tools which we commonly see hosted on compromised servers.”

The attackers did not serve up certain resources on the page – such as images or style sheets – over SSL, according to the post, which explains that using non-SSL resources on a page served over SSL prompts warnings in newer versions of certain browsers.

“Based on the stats we have, it doesn't look like there's much geographic targeting being used here,” Johnston said. “The scam was sent to our customers in Australia, U.S. and UK to give just a few examples.”