New BEC cyberattacks use phishing with a respectable Dropbox hyperlink as a lure for malware and credentials theft.
Risk actors have added a brand new wrinkle to conventional enterprise electronic mail compromise cyberattacks. Name it BEC 3.0 — phishing assaults that bury the hook in respectable internet companies like Dropbox.
Avanan, a unit of Test Level Software program, has tracked a current instance of this assault household, during which hackers created free Dropbox accounts to seize credentials or cover malware in legitimate-looking, contextually related paperwork similar to potential staff’ resumes.
The assault, the safety agency found, began with the actors sharing a PDF of somebody’s resume through Dropbox. The goal can’t view the doc except they Add To Dropbox. The hyperlink from Dropbox seemed respectable, making the exploit tougher to identify.
The phishing exploit entails these steps:
- First, a consumer clicks the hyperlink in a respectable notification from Dropbox to a resume and accesses a web page hosted on the file-sharing service.
- The consumer should then enter their electronic mail account and password to view the doc. Which means the risk actors have entry to electronic mail addresses and passwords.
On this web page hosted on Dropbox, customers are requested to enter their electronic mail account and password to view the doc, giving risk actors consumer credentials.
As soon as a consumer enters their credentials, they’re directed to a faux Microsoft OneDrive hyperlink. By clicking on the hyperlink, customers are given a malicious obtain.
“We’ve seen hackers do a whole lot of BEC assaults,” Jeremy Fuchs, a cybersecurity researcher/analyst at Avanan, mentioned in a report on the assault. “These assaults have a number of variations, however usually they attempt to spoof an government or accomplice to get an finish consumer to do one thing they don’t wish to do (like pay an bill to the improper place),” he mentioned.
SEE: One other hide-the-malware assault focuses on DNS (TechRepublic)
“Leveraging respectable web sites to host malicious content material is a surefire strategy to get into the inbox,” he mentioned. “Most safety companies will take a look at the sender — on this case, Dropbox — and see that it’s respectable and settle for the message. That’s as a result of it’s respectable,” he added.
Avanan mentioned stopping these stealth assaults requires quite a lot of defensive steps, together with scanning for malicious information in Dropbox and hyperlinks in paperwork, in addition to changing hyperlinks within the electronic mail physique and inside attachments. The important thing to schooling towards these social engineering assaults is context, in response to Fuchs: “Are resumes usually despatched through Dropbox? If not, it could be a purpose to contact the unique sender and double-check. If they’re, take it one step additional. If you log into Dropbox, do I’ve to log in once more with my electronic mail?”
Avanan mentioned the researchers reached out to Dropbox on Could 15 to tell them of this assault and analysis.
Linktree additionally used to seize credentials
Earlier this month, Avanan found an analogous hack utilizing the social media reference touchdown web page Linktree, which is hosted on websites like Instagram and TikTok. Just like the Dropbox assaults, hackers created respectable Linktree pages to host malicious URLs to reap credentials.
The attackers despatched targets spoofed Microsoft OneDrive or SharePoint notifications {that a} file has been shared with them, instructing them to open the file, in response to Avanan. In the end, the consumer is redirected to a faux Workplace 365 login web page, the place they’re requested to enter their credentials, the place their credentials are stolen.
“[Users] ought to suppose: Why would this individual ship me a doc through Linktree? Almost certainly, that wouldn’t be the case. That’s all part of safety consciousness — understanding if an electronic mail or course of appears logical,” mentioned Fuchs.
In these circumstances, the agency means that recipients:
- All the time test the sender’s deal with earlier than replying to an electronic mail.
- Cease and suppose if the medium getting used to ship a file is typical.
- When logging right into a web page, double-check the URL to see if it’s Microsoft or one other respectable web site.
BEC assaults utilizing respectable websites could escalate this 12 months
Fuchs mentioned there are not any apparent visible cues to tip off assault recipients to BEC exploits. “Though in case you had been to signal into the Dropbox web page, you’d see that there’s a OneDrive brand and hyperlink,” he mentioned. “Eagle-eyed customers ought to discover that discrepancy and suppose—why would there be two competing companies on one web page?,” he added.
He predicted that these assaults will escalate. “Any fashionable service that’s legit can probably be used as a car to ship such a malicious exercise. That’s why we count on it to take off within the close to future,” he mentioned, including that the exploit has been used tens of hundreds of instances. “We consider it will actually take off in quantity within the second half of the 12 months,” he mentioned.
