Did your phones just start ringing with people asking why you just sent them some random file they were not expecting via Dropbox?

You likely have a compromised email address – that is, a hacker has access to you or one of your user’s mailboxes. If you do not act quickly, some of the recipients of that email (people you have been recently emailing, or have emailed you in the past) may suffer the same fate.

What exactly has happened?

Disclaimer: The following is based on our best understanding at the time of publishing and relates to a particular incident type. There are a couple of different ways threat actors are using Dropbox to perform these types of attacks. Contact us for assistance if this specific scenario doesn’t apply to you, but you are the victim of cybercrime.

The way the process works is that a threat actor (hacker) will gain access to a user’s email account. This normally occurs by phishing, where an unsuspecting user will click a link contained within an email they received, it will ask them to log in using their email address, and boom, the threat actor has your email account credentials. Once they have access to your mailbox, they create a Dropbox account using your email. They can complete the account verification because they have access to your mailbox. They will normally delete it, or set up a forwarding rule so they receive it, and you do not notice they have done it.

They then place a malicious file into the Dropbox account, normally designed to harvest usernames and passwords, and share it with everyone you have been emailing. They know who you have been emailing because - you guessed it- they have access to your mailbox. The sharing emails are generated from Dropbox, so you do not even know they have been sent, or whom they have been sent to.

How to respond to it?

Understanding how it works is critical to your incident response. The primary goal of your incident response should be to stop anybody from opening the malicious file in Dropbox. To do this, start by completing the following steps:

1. Reset the user’s email account password ..a. The best practice is to reset all account passwords

..b. It is also best practice to enable multi-factor authentication. Enable it now where feasible.

2. Check the account to ensure no email forwarding rules have been created in the mailbox ..a. Check this via webmail where possible (i.e. using the browser)

..b. Delete any rules that forward emails

3. Go to Dropbox and select Sign in

4. Select Forgotten your password?

5. Enter your email and select submit

6. Wait for the password reset email to be received and complete the reset procedure

7. Once you are logged into Dropbox, stop all sharing and delete the files in the account

Once this has been completed, you have locked the threat actor out of both Dropbox and your email account. You have also deleted the file that was shared, so even if someone clicked the link in the email they received, there is no malicious file for them to open any more. This won’t help anyone who tried to open the file before you completed this process, so actioning this swiftly will minimise the exposure.

Need assistance, or know someone who does?

Call the team or myself via:

enquiries@servicescaler.com | (02) 9146 6339 | www.servicescaler.com

Did you find this interesting? Read more posts here.

Contact us here - or call us on (02) 9146 6339