Skip to main content

Cybercriminals use Dropbox to target finance staff for credential thefts

17 May 2024

A multistep phishing scheme aimed at employees that process financial documentation was discovered by Kaspersky. The scheme begins when victims receive an email from the legitimate address of an auditing firm. This initial interaction is intended to make the recipient less suspicious: like a preparatory step to ease into the main fraudulent activity. Then a notification from the Dropbox service follows, containing malicious links to archives where cybercriminals have uploaded phishing files designed to steal credentials.

The first step involves victims receiving emails purportedly from a legitimate auditing firm. These emails are sent from authentic address, which has most likely been hijacked by attackers. They employ social engineering tactics to lower victims’ guard and prepare them to receive a Dropbox archive.

db1

The first step in the scheme: the victim received an email from an alleged “auditor”

The email appears legitimate from both a human standpoint and in terms of protection software. It contains a plausible cover story that an official audit company has information for the recipient, complete with a disclaimer regarding sharing confidential information. In addition, the email contains no links or attachments and originates from an easily searchable company addressmaking it nearly impossible for a spam filter to detect”, explains Roman Dedenok, a security expert at Kaspersky.

The only suspicious trait in this email is that the sender uses “Dropbox Application Secured Upload”. This service doesn’t exist. Although files uploaded to Dropbox can be password-protected, nothing more can be done. 

Following this email, the perpetrators send their victims an official Dropbox notification. If the recipient is already primed to respond by the initial message, there is a higher likelihood they’ll follow the link to review the document.

db2

Dropbox notification 

Clicking on the link reveals a blurred document with an authentication window on top of it. The document acts as a large button, with its entire surface being a malicious link. Upon clicking, the user will see a form requesting their corporate login and password: credentials that cybercriminals seek to steal using this multistep scheme.

db3

The malicious PDF file uploaded to Dropbox, mimicking an authentication request.

These attacks are considered targeted and were observed by Kaspersky in isolated instances. The scheme is described in detail in the Kdaily post. To stay protected, it is advisable to warn employees and encourage vigilance. Here are a few pieces of advice:

  • Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails.
  • Overall, all company employees should remember to input their work password only on sites owned by their organization. Neither Dropbox nor external auditors can know and need your work password. 
  • As perpetrators constantly devise more sophisticated schemes to steal corporate account data, we recommend implementing real-time protection, threat visibility, investigation and response solutions, such as  Kaspersky Next product line.

Cybercriminals use Dropbox to target finance staff for credential thefts

A multistep phishing scheme aimed at employees that process financial documentation was discovered by Kaspersky. The scheme begins when victims receive an email from the legitimate address of an auditing firm. This initial interaction is intended to make the recipient less suspicious: like a preparatory step to ease into the main fraudulent activity. Then a notification from the Dropbox service follows, containing malicious links to archives where cybercriminals have uploaded phishing files designed to steal credentials.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases