Phishing Campaign Sending Dropbox Links to Zeus Downloads

A phishing campaign has been detected that sends victims Dropbox links leading to a .zip file hosting the Zeus banking Trojan.

With more enterprises sharing documents through Dropbox, the free online storage service is popping up in more spam and phishing scams.

The latest doesn’t necessarily target data stored by individuals and companies on Dropbox, but instead preys on the trust users have in the service.

Researchers at PhishMe last Thursday received a number of samples from the same phishing campaign sending users to a Dropbox link where a .zip file hosting a version of the Zeus banking Trojan awaited.

Senior researcher Ronnie Tokazowski said that unlike in targeted attacks, the subject lines on the phishing emails had a consistent theme about an incoming fax report, an outstanding invoice due, or payment advice. The emails urged the recipient to respond to a message about a financial debt by clicking on a link to a Dropbox folder. While the messaging was tweaked in each of the messages, the link was the same.

Should the user follow the link, they’ll be asked to download a .zip file containing an executable.

Should the user follow the link, they’ll be asked to download a .zip file containing an executable with the .scr, or Windows screensaver, file extension. The executable is a version of the prolific Zeus Trojan, which aims to steal banking credentials from its victims and use those passwords to create fraudulent wire transfers.

Coincidentally, the campaign was disclosed a day after a massive takedown of the GameOver Zeus botnet. GameOver is the peer-to-peer version of Zeus, and the FBI, Europol and a number of technology and security companies combined to seize servers used to manage the botnet’s activities and issue warrants for a Russian national charged in connection with GameOver Zeus. Botnet traffic has dropped to almost zero since the takedown.

As for this campaign, the Zbot malware is detected as Trojan-Spy.Win32.Zbot.tblo by Kaspersky Lab; 31 of 50 companies detect this Zeus strain. Dropbox has also removed all of the links that were sent in the campaign, Tokazowski said, adding that this isn’t the first Dropbox-related phishing scheme he’s seen.

“The reason it works is that many enterprises allow Dropbox through their networks. If they’re looking for bad domains, they’re not looking for because everyone and their uncle uses it,” Tokazowski said. “If you’re looking at http traffic, links are coming in over https, which just adds another layer of encryption to make it harder to detect.”

And while the grammar in the messaging isn’t perfect English, it’s good enough to fool someone quickly reading through; also, the samples seen by PhishMe include signature blocks, which is an unusual feature in a phishing message, Tokazowski said.

“To have signature blocks is unusual with crimeware campaigns,” he said. “It’s more to fool the user [than automated detection]. They figure sending an email, they’d be more official with a signature block.”

Almost a month ago, Dropbox dealt with another security issue when it announced it decided to disable a collaborative shared links feature that exposed stored documents to third parties for a period of time before a patch was available.

Users could be exploited by sharing a link to a document that contains a hyperlink to a third-party website. The recipient clicks on the link and the referrer header in the user’s browser discloses the original shared link to the third party website, Dropbox said, giving someone at the third party access to the link to the shared document.

Suggested articles