New BEC cyberattacks use phishing with a respectable Dropbox hyperlink as a lure for malware and credentials theft.
Threat actors have added a brand new wrinkle to conventional enterprise e mail compromise cyberattacks. Call it BEC 3.0 — phishing assaults that bury the hook in respectable net companies like Dropbox.
Avanan, a unit of Check Point Software, has tracked a latest instance of this assault household, by which hackers created free Dropbox accounts to seize credentials or conceal malware in legitimate-looking, contextually related paperwork similar to potential staff’ resumes.
The assault, the safety agency found, began with the actors sharing a PDF of somebody’s resume through Dropbox. The goal can’t view the doc until they Add To Dropbox. The hyperlink from Dropbox seemed respectable, making the exploit tougher to identify.
The phishing exploit entails these steps:
- First, a person clicks the hyperlink in a respectable notification from Dropbox to a resume and accesses a web page hosted on the file-sharing service.
- The person should then enter their e mail account and password to view the doc. This implies that the menace actors have entry to e mail addresses and passwords.
On this web page hosted on Dropbox, customers are requested to enter their e mail account and password to view the doc, giving menace actors person credentials.
Once a person enters their credentials, they’re directed to a pretend Microsoft OneDrive hyperlink. By clicking on the hyperlink, customers are given a malicious obtain.
“We’ve seen hackers do a lot of BEC attacks,” Jeremy Fuchs, a cybersecurity researcher/analyst at Avanan, mentioned in a report on the assault. “These attacks have several variations, but generally they try to spoof an executive or partner to get an end user to do something they don’t want to do (like pay an invoice to the wrong place),” he mentioned.
SEE: Another hide-the-malware assault focuses on DNS (TechRepublic)
“Leveraging legitimate websites to host malicious content is a surefire way to get into the inbox,” he mentioned. “Most security services will look at the sender — in this case, Dropbox — and see that it’s legitimate and accept the message. That’s because it is legitimate,” he added.
Avanan mentioned stopping these stealth assaults requires a variety of defensive steps, together with scanning for malicious information in Dropbox and hyperlinks in paperwork, in addition to changing hyperlinks within the e mail physique and inside attachments. The key to schooling in opposition to these social engineering assaults is context, in accordance with Fuchs: “Are resumes typically sent via Dropbox? If not, it may be a reason to contact the original sender and double-check. If they are, take it one step further. When you log into Dropbox, do I have to log in again with my email?”
Avanan mentioned the researchers reached out to Dropbox on May 15 to tell them of this assault and analysis.
Linktree additionally used to seize credentials
Earlier this month, Avanan found an identical hack utilizing the social media reference touchdown web page Linktree, which is hosted on websites like Instagram and TikTookay. Similar to the Dropbox assaults, hackers created respectable Linktree pages to host malicious URLs to reap credentials.
The attackers despatched targets spoofed Microsoft OneDrive or SharePoint notifications {that a} file has been shared with them, instructing them to open the file, in accordance with Avanan. Ultimately, the person is redirected to a pretend Office 365 login web page, the place they’re requested to enter their credentials, the place their credentials are stolen.
“[Users] should think: Why would this person send me a document via Linktree? Most likely, that wouldn’t be the case. That’s all a part of security awareness — understanding if an email or process seems logical,” mentioned Fuchs.
In these instances, the agency means that recipients:
- Always verify the sender’s handle earlier than replying to an e mail.
- Stop and assume if the medium getting used to ship a file is typical.
- When logging right into a web page, double-check the URL to see if it’s Microsoft or one other respectable website.
BEC assaults utilizing respectable websites could escalate this 12 months
Fuchs mentioned there are not any apparent visible cues to tip off assault recipients to BEC exploits. “Although if you were to sign into the Dropbox page, you’d see that there’s a OneDrive logo and link,” he mentioned. “Eagle-eyed users should notice that discrepancy and think—why would there be two competing services on one page?,” he added.
He predicted that these assaults will escalate. “Any popular service that’s legit can potentially be used as a vehicle to deliver this type of malicious activity. That’s why we expect it to take off in the near future,” he mentioned, including that the exploit has been used tens of hundreds of occasions. “We believe this will really take off in volume in the second half of the year,” he mentioned.