Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Sead Fadilpašić

That Dropbox link in your inbox could be a scam

data privacy

Cybercriminals are abusing legitimate cloud services to make sure their malicious files make it to people’s inboxes, new research from Check Point have said.

Dubbingthe practice Business Email Compromise (BEC) 3.0, the researchers said email service providers had gotten a lot better at spotting and filtering malicious emails. 

So in order to work around this, hackers have started using legitimate cloud services, especially those that offer free trial accounts. They would create a free account on a platform such as Dropbox, and use that service to send an email to their victim, carrying a malicious link. Given that the email would be coming from a trusted source and a known domain, email security services can do nothing but let the message reach the inbox.

Abusing filesharing services

In an example, Check Point said the attackers would create a malicious file and host it on Dropbox. They would then use the platform’s built-in sharing feature to email the link to the malicious file to their victims. As there’s nothing malicious about the email itself, the message would make it into the victim’s inbox.

If the victim opens the file, they would be prompted with a login form asking for their email address and password. In this, first step, the victims would already be giving their Dropbox credentials to the attackers. In the next step, the attackers would redirect the victim to a malicious URL, where they’d be asked for their OneDrive login credentials, as well.

“So the hackers, using a legitimate site, have created two potential breaches: They will get your credentials and then potentially induce you to click on a malicious URL,” the researchers explained. “That’s because the URL itself is legitimate. It’s the content on the website that’s problematic. You’ll see the hackers mocked up a page that looks like OneDrive. When clicking on the link, users are given a malicious download. “

As usual, the best way to protect against email-borne attacks is to use common sense and not click on unexpected and suspicious links and email attachments.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.