Threat actors have added a new wrinkle to traditional business email compromise cyberattacks. Call it BEC 3.0 — phishing attacks that bury the hook in legitimate web services like Dropbox.
Avanan, a unit of Check Point Software, has tracked a recent example of this attack family, in which hackers created free Dropbox accounts to grab credentials or hide malware in legitimate-looking, contextually relevant documents such as potential employees’ resumes.
The attack, the security firm discovered, started with the actors sharing a PDF of someone’s resume via Dropbox. The target can’t view the document unless they Add To Dropbox. The link from Dropbox looked legitimate, making the exploit more difficult to spot.
The phishing exploit involves these steps:
- First, a user clicks the link in a legitimate notification from Dropbox to a resume and accesses a page hosted on the file-sharing service.
- The user must then enter their email account and password to view the document. This means that the threat actors have access to email addresses and passwords.
On this page hosted on Dropbox, users are asked to enter their email account and password to view the document, giving threat actors user credentials.
Once a user enters their credentials, they are directed to a fake Microsoft OneDrive link. By clicking on the link, users are given a malicious download.
“We’ve seen hackers do a lot of BEC attacks,” Jeremy Fuchs, a cybersecurity researcher/analyst at Avanan, said in a report on the attack. “These attacks have several variations, but generally they try to spoof an executive or partner to get an end user to do something they don’t want to do (like pay an invoice to the wrong place),” he said.
SEE: Another hide-the-malware attack focuses on DNS (TechRepublic)
“Leveraging legitimate websites to host malicious content is a surefire way to get into the inbox,” he said. “Most security services will look at the sender — in this case, Dropbox — and see that it’s legitimate and accept the message. That’s because it is legitimate,” he added.
Avanan said preventing these stealth attacks requires a number of defensive steps, including scanning for malicious files in Dropbox and links in documents, as well as replacing links in the email body and inside attachments. The key to education against these social engineering attacks is context, according to Fuchs: “Are resumes typically sent via Dropbox? If not, it may be a reason to contact the original sender and double-check. If they are, take it one step further. When you log into Dropbox, do I have to log in again with my email?”
Avanan said the researchers reached out to Dropbox on May 15 to inform them of this attack and research.
Linktree also used to grab credentials
Earlier this month, Avanan discovered a similar hack using the social media reference landing page Linktree, which is hosted on sites like Instagram and TikTok. Similar to the Dropbox attacks, hackers created legitimate Linktree pages to host malicious URLs to harvest credentials.
The attackers sent targets spoofed Microsoft OneDrive or SharePoint notifications that a file has been shared with them, instructing them to open the file, according to Avanan. Ultimately, the user is redirected to a fake Office 365 login page, where they are asked to enter their credentials, where their credentials are stolen.
“[Users] should think: Why would this person send me a document via Linktree? Most likely, that wouldn’t be the case. That’s all a part of security awareness — understanding if an email or process seems logical,” said Fuchs.
In these cases, the firm suggests that recipients:
- Always check the sender’s address before replying to an email.
- Stop and think if the medium being used to deliver a file is typical.
- When logging into a page, double-check the URL to see if it’s Microsoft or another legitimate site.
BEC attacks using legitimate sites may escalate this year
Fuchs said there are no obvious visual cues to tip off attack recipients to BEC exploits. “Although if you were to sign into the Dropbox page, you’d see that there’s a OneDrive logo and link,” he said. “Eagle-eyed users should notice that discrepancy and think—why would there be two competing services on one page?,” he added.
He predicted that these attacks will escalate. “Any popular service that’s legit can potentially be used as a vehicle to deliver this type of malicious activity. That’s why we expect it to take off in the near future,” he said, adding that the exploit has been used tens of thousands of times. “We believe this will really take off in volume in the second half of the year,” he said.