Cybercriminals use Dropbox to steal financial industry employee credentials

Cybercriminals use Dropbox to steal financial industry employee credentials
Cybercriminals use Dropbox to steal financial industry employee credentials

Cybercriminals use Dropbox to steal financial industry employee credentials

Kaspersky researchers have uncovered a multi-stage phishing scheme targeting employees responsible for processing financial documents. First, victims receive an email from the legitimate address of an auditing firm. This first interaction aims to make the recipient less suspicious: it is a preparatory step to facilitate the implementation of the attack. Those targeted then receive a notification from Dropbox, containing malicious links to archives where the cybercriminals have dropped phishing files intended to steal credentials.

The scam begins this way: the malicious agents send their potential victims an email supposedly from a legitimate auditing company. These messages are sent from an authenticated address, likely hijacked by the attackers. They use social engineering tactics to make victims lower their guard and prepare them to receive a Dropbox archive.

First step of the scheme: the victim receives an email from an alleged “listener”

“To those who read it, the email appears legitimate and written by a human being. Cybersecurity software is not an irregularity either. The pretext that an auditing firm has recipient information is plausible, as is the disclaimer regarding sharing confidential information. Furthermore, the email contains no links or attachments and comes from a company address that is easily verifiable online, making it almost impossible to detect by a spam filter,” says expert Roman Dedenok safe at Kaspersky.

The only suspicious element that can be noted in the email concerns the “Dropbox Application Secured Upload” service mentioned by the author. This service does not exist. Although files uploaded to Dropbox can be password protected, there are currently no additional security features.

Following this email, the perpetrators send victims an official notification from Dropbox. If the recipient has already shown an inclination to respond to the initial message, it is even more likely that they will follow the link to view the document.

Dropbox notification

By clicking on the link, a blurred document appears, behind a dialog box asking the recipient to authenticate. The clickable button contains a malicious link, redirecting the user to a form where they must enter their professional username and password, allowing cybercriminals to get their hands on this information.

The malicious PDF file uploaded to Dropbox, imitating an authentication request

Kaspersky identifies these attacks as targeted attacks, revolving around isolated cases.

-

-

PREV Apple should announce that it is entering the AI ​​race
NEXT First metal 3D printing aboard the International Space Station