Kaspersky has identified a multi-stage phishing scam targeting employees who handle financial documents. The fraud is initiated when victims receive an email from a legitimate address of an auditing company, which reduces their distrust. This initial email is a prelude to the main fraudulent activity.

Victims then receive a notification from the Dropbox service, which contains malicious links to files uploaded by cybercriminals in order to steal credentials. The attack begins with an email that appears to come from a genuine auditing company, whose domain has likely been compromised. This email uses social engineering techniques to reduce suspicion and prepares the victim for the next step: receiving a file from Dropbox.

“The email appears trustworthy to both people and protection software. It presents a convincing story, claiming that an auditing company has information relevant to the recipient, along with a disclaimer about sharing sensitive information. It contains no links or attachments and comes from an easily verifiable company address, making it difficult to detect by spam filters,” explains Roman Dedenok, security expert at Kaspersky.

What is Dropbox phishing?

The only suspicious hint is the mention of the “Dropbox Application Secured Upload” service, which does not actually exist. Although files in Dropbox can be password protected, this feature is used deceptively.

Following this initial email, victims receive an official notification from Dropbox. Influenced by the first message, they are more likely to follow the link provided to review the document.

Clicking the link brings up a blurry document with an authentication window overlaid on it. The entire document acts as a malicious link, directing to a form that requests the user’s corporate username and password. The cybercriminals seek to obtain these credentials through this elaborate multi-step scheme.

Safety Recommendations

These attacks are considered targeted and were observed by Kaspersky in isolated cases. To stay protected, it is advisable to warn employees and encourage vigilance. Other useful tips include:

  • Provide staff with basic cybersecurity hygiene training. A simulated phishing attack can be conducted to ensure employees are able to distinguish phishing emails.
  • In general, all company employees should remember to enter their work password only on websites owned by their organization. Neither Dropbox nor external auditors can know or need your work password.
  • As criminals constantly come up with more sophisticated schemes to steal data from corporate accounts, it is advisable to implement real-time protection, threat visibility, investigation and response solutions, such as the Kaspersky Next product line.