A new spam campaign has been circulating over the last few weeks aiming to dupe users of the popular cloud storage service Dropbox. The e-mails purport to come from the service but instead lead those who click through to a malware landing page.
Some of the emails start off fairly convincingly:
We noticed that you recently tried to login in to Dropbox with a password that you haven’t changed more than 90 days. Your old password has expired and you’ll need to create a new one to log in. Please visit the page to update your password Reset Password
Thanks! – The Dropbox Team
Other variations of the email try to get users to change their passwords, claiming their old one is now being marked “dangerous.”
The thing is, Dropbox actually does reset users’ passwords, sometimes when they haven’t been changed in a while “as a proactive security measure” according to their website, which could make the above email even more believable.
According to a blog post by AppRiver, a Florida-based web security company, on Friday however, clicking the link to reset your password brings users to a suspicious-looking page that’s passing itself off as a Microsoft site. Claiming the user’s browser is out-of-date, it gives them three options, an Internet Explorer download and for some reason, a Chrome download and a Firefox download. After making the rounds through a few hijacked domains, all trigger the download of ieupdate.exe, which is really more or less a Zeus Trojan variant.
The malware appears to be hosted on dynamooblog.ru, a domain that appears to be a jab at blog.dynamoo.com, a blog run by the British-based security analyst Conrad Longmore who reported about a similar strain of spam last week targeting and fooling Pinterest users.
Longmore attributes both spam campaigns to the RU:8080 gang, a resurgent spam crew that sent a slew of emails to users earlier this year claiming to come from the Better Business Bureau, UPS and Verizon Wireless, among other legitimate companies.