Malicious Phishing Campaign Masquerading as Dropbox Notifications Designed to Steal Email Account Credentials

On Tuesday, September 12, the NJCCIC detected a phishing campaign attempting to deliver malicious emails. These emails, sent from legitimate but compromised accounts, masquerade as fraudulent Dropbox notifications. The body of the email suggests that there are documents from the sender waiting to be downloaded by the recipient and contains a link obfuscated by a URL shortener. If clicked, the recipient is taken to a compromised website where they are lured into entering their email account credentials in order to view and download the supposed documents. It gives the recipient the option of logging in using one of the following accounts: Office365, Google, Outlook, Yahoo!, and AOL. It also provides an option to log in with an account not listed on the phishing website’s landing page. If the recipient enters his or her account credentials, they are sent to the hacker or group behind the campaign who can then use the credentials to log into the recipient’s email account as well as any other accounts linked to, or associated with, that email address. Additionally, they can use the recipient’s account to further perpetuate the phishing scheme to that person’s contact list to create the illusion that the emails are legitimate. As this campaign has initially managed to bypass some email security filters, the NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, be sure to have them proactively change the passwords to their accounts and any account associated with those email addresses.