Convincing-looking emails where the victim is directed to click on a Dropbox link to download a supposedly unpaid invoice (and other classic phishing tricks) are circulating widely on the internet, according to specialist trainer PhishMe.
The emails, which arrive with standard ‘bait’ text such as “Please download on our link below from Dropbox copy invoice which is showing as unpaid on our ledger. I would be grateful if you could look into this matter and advise on an expected payment date.”
While many users are suspicious of shortened URLs such as TinyURL or Bit.ly links in phishing emails, Dropbox is widely used in legitimate business emails. In the example above, the only hint that the email is illegitimate is that it is not addressed by name, and the poor use of English in “Please download from Dropbox copy invoice.”
Phishme reported that the latest round of scams bore titles such as “Incoming Fax Report” and “Payment Advice” and some appeared to come from British government bodies such as Companies House. Computer Business Review said that political groups were also using Dropbox links to distribute malware this week, in a separate incident.
Consumers are affected by phishing as much as large organizations – in this year’s Microsoft Computer Safety Index Survey, polling 10,000 consumers, 15% said they had been victims of phishing, losing on average $158 each.
Dropbox is clearly aware of the threat. The blog post notes that all the examples named have already been blocked by Dropbox.
Phishme says that the links in the examples it posted lead to disguised .exe files which install malware on the victim’s computer, “If a user clicks the link, they are directed to Dropbox where they can download a small zip file which contains an executable masked as an .scr file, or a Windows screen saver file. Windows treats .exe and .scr files the same way, so you simply have to rename a .exe to .scr.”
Our We Live Security guide gives a basic guide to how to sidestep the latest phishing scams – which target smartphone users as much as PC users, by directing victims to fake websites which harvest usernames and passwords. The tactics evolve almost daily, so it pays to stay up-to-date with the latest news from We Live Security.
Author Rob Waugh, We Live Security