“Talk about a meta sort of attack,” says Casper Manes, consultant, GFI Software, reacting to a phishing attack which used “Dropbox to spoof Dropbox.”
Manes’ comments follow news that the storage company recently detected and shut down a spoofing page designed to grab users’ credentials to Dropbox and other webmail based systems that was hosted on Dropbox itself.
Hosting a fake login page within the Dropbox service itself, the attacker or attackers leveraged a number of things to help convince victims that they were visiting a legitimate page, rather than falling victim to a hoax.
In Manes’ own words, here’s how it worked:
“The attackers created a well-designed web page, hosted on Dropbox itself in a user account set up for the purpose, and that looks like a legitimate Dropbox login page,” he says.
“They then sent emails to victims, informing them that someone tried to send them a large file, and advising them to click a link in the email to access the data.
“Of course, no one should click a link in an email they are not expecting, but we all know that users continue to do so.
“Since the URL was within a Dropbox domain, even clever users who copy and paste, or manually type in a URL, might see this as legitimate.
Manes says the hoax page was accessible over HTTPS, since it was hosted in a user’s Dropbox, meaning many users would only see that the padlock icon displayed and assume that they were safe.
As some elements were accessed over HTTP, he says that some browsers might warn users that not all content is secure, but that is too common a failing of legitimate sites, and nothing to count on to prevent users from doing bad things.
“The form prompted users for their credentials, using either their Dropbox account or one of the popular webmail providers,” he explains.
“After harvesting credentials, the page simply redirected users to Dropbox’s own login page, much like you might see when a webpage malfunctions.”
Dropbox quickly detected and disabled access to the hoax page, and should be commended for their detection, rapid response and disclosure of the event, according to Danes.
“But all of that is reactionary,” he adds, “and some users may have become victims.
“As organisations that rely on Internet services, we need to be more proactive in how we defend users from these sorts of attacks.”
To succeed, Manes believes phishing messages have to get through to victims’ mailboxes.
“Proper mail filtering solutions can and should be used to detect and block phishing attacks like this,” he claims. “They can be used to not only filter out spam and malware, but also to detect and block phishing messages before they even get to your users.
“If there is no phishing message in their inbox, there is nothing for them to click on.”
But according to Manes, the best defences are layered ones; “should a phishing message get through to your users, you don’t want their own best judgment to be the only other protection,” he adds.
“Good web monitoring solutions offer active scanning of all downloads and blocks access to known harmful websites, like those that host malware, or are known phishing domains.
“By protecting users from compromised and malicious websites, you can protect them whether an email with a link gets through, they manually type in a URL, or they try to visit a legitimate site that fell victim to a compromise and is now serving malware.”
While this clever attack was quickly shut down by Dropbox, Manes believes it won’t be the last time “some clever attacker” uses a system to take advantage of victims.
“Blocking all access to all external solutions is no solution at all,” he claims, “as many of these, Dropbox included, offer fantastic capabilities to users and businesses alike, but you have to provide access in a safe and secure manner.
“Combining mail filtering with web monitoring gives you the one-two punch you need to knock out the opposition before they make victims of your users.”