Did your phones just start ringing with people asking why you just sent them some random file they were not expecting via Dropbox?
You likely have a compromised email address – that is, a hacker has access to you or one of your user’s mailboxes. If you do not act quickly, some of the recipients of that email (people you have been recently emailing, or have emailed you in the past) may suffer the same fate.
Disclaimer: The following is based on our best understanding at the time of publishing and relates to a particular incident type. There are a couple of different ways threat actors are using Dropbox to perform these types of attacks. Contact us for assistance if this specific scenario doesn’t apply to you, but you are the victim of cybercrime.
The way the process works is that a threat actor (hacker) will gain access to a user’s email account. This normally occurs by phishing, where an unsuspecting user will click a link contained within an email they received, it will ask them to log in using their email address, and boom, the threat actor has your email account credentials. Once they have access to your mailbox, they create a Dropbox account using your email. They can complete the account verification because they have access to your mailbox. They will normally delete it, or set up a forwarding rule so they receive it, and you do not notice they have done it.
They then place a malicious file into the Dropbox account, normally designed to harvest usernames and passwords, and share it with everyone you have been emailing. They know who you have been emailing because - you guessed it- they have access to your mailbox. The sharing emails are generated from Dropbox, so you do not even know they have been sent, or whom they have been sent to.
Understanding how it works is critical to your incident response. The primary goal of your incident response should be to stop anybody from opening the malicious file in Dropbox. To do this, start by completing the following steps:
..b. It is also best practice to enable multi-factor authentication. Enable it now where feasible.
..b. Delete any rules that forward emails
Go to Dropbox and select Sign in
Select Forgotten your password?
Enter your email and select submit
Wait for the password reset email to be received and complete the reset procedure
Once you are logged into Dropbox, stop all sharing and delete the files in the account
Once this has been completed, you have locked the threat actor out of both Dropbox and your email account. You have also deleted the file that was shared, so even if someone clicked the link in the email they received, there is no malicious file for them to open any more. This won’t help anyone who tried to open the file before you completed this process, so actioning this swiftly will minimise the exposure.
Need assistance, or know someone who does?
Call the team or myself via: