Fallout continues from the 2012 Dropbox breach that exposed over 68 million account credentials, as experts are warning of a phishing campaign leveraging the breached email addresses that were discovered for sale on a dark web site.
The phishing campaign relating to the Dropbox breach was detected by security researchers at AppRiver, the cloud cybersecurity firm headquartered in Gulf Breeze, Fla., who wrote in a blog post they discovered “a malware-based phishing blast that attempts to impersonate itself as a Dropbox notification email.”
“The campaign employs a common phishing tactic of visually mirroring a legitimate Dropbox email. The email alerts the recipient that they’ve received an invoice file and must download it via the link provided,” the blog post stated. “The message claims that the invoice is for work completed for language translation. When a user clicks on the link within the email, a zip archive file is almost immediately downloaded to their computer.”
Although the passwords involved in the Dropbox breach are all encrypted, the breach exposed email addresses for all of the stolen passwords, making the data useful to malicious actors for phishing purposes.
The danger that the cache of email addresses will be used for phishing and other attacks appears to be real. Waqas Amir, a Milan-based cybersecurity journalist, reported dark web vendor DoubleFlag is offering the Dropbox email addresses and encrypted passwords associated with those addresses for sale on the dark web marketplace TheRealDeal for 2 bitcoin, or about $1,250.
Troy Gill, manager of security research at AppRiver, told SearchSecurity that so far they’ve seen approximately 70,000 emails in the latest phishing campaign. “On the face this thing looks like an average malware campaign that is simply utilizing Dropbox for appeal, but it could be possible that there is some targeting being done toward actual users of Dropbox,” he said. “We have no way to validate that assertion.”
“The Dropbox hack released a large amount of active email addresses which will certainly be used for phishing and spam campaigns,” wrote Dotan Bar Noy, CEO at ReSec Technologies Ltd., in a LinkedIn blog post, adding that because Dropbox is used by enterprises as well as consumers, it means “the email addresses leaked are real, legitimated and used quite often.”
“So now fraudsters, cyber criminals and nation state hackers have access to millions of potential victims to send phishing, ransomware and spear-phishing emails,” Bar Noy wrote. The Dropbox breach differs from other recent major breaches such as those at LinkedIn and other sites where users rely on private email addresses to set up personal accounts.
“Credentials are often available on the dark web within a few days” after a major breach is made public, Ryan Disraeli, co-founder and vice president at TeleSign, told SearchSecurity. “Hackers want to capitalize on the validity and value of the data before users update their accounts. Dropbox isn’t unique in this regard. It is certainly possible we will see more phishing campaigns in the coming days, weeks and months as hackers put their purchased credentials to use.”
“While much of the important information from the breach was salted and hashed, hackers were able to get their hands on email addresses,” Disraeli said. “Anytime a large collection of confirmed email addresses is breached it is common to see an increase in phishing scams, as hackers now have a more targeted list of emails tied to a known user account. This tends to increase the success rate of the scam. Add to this, cloud storage platforms are traditionally more susceptible to phishing scams as users are used to clicking on download links in their emails.”
“Anytime there is a breach, especially one potentially as wide-reaching as this, everyone should take extra steps to prepare for the fallout,” Gill urged. “If you are a Dropbox user, this includes changing passwords and enabling two-factor authentication, if possible. Also, since we know that it is very commonplace for people to reuse passwords across multiple sites and services then changing all relevant passwords is essential.”
In the meantime, Disraeli said he had seen “other companies, such as Spotify, proactively forcing password resets on their users to help avoid any password reuse issues spreading from the Dropbox breach. We expect — and hope — to see more proactive security measures such as this from other companies as they look to guard against their own breaches as a result of reused credentials.”