Dropbox credentials stolen with a resignation letter

We know that cybercriminals look every day for very creative ways to deceive users; in this way, they do not think that it is a fraud when they put their credentials on the pages they access. But, in this case, it is a resignation letter that is tricking many into handing over their Dropbox service credentials. In this article, we explain everything that is happening with this new form of deception.

Read: Emonet malware now attacks Chrome Browser

A “resignation letter” wreaks havoc on Dropbox

As explained by Josep Albors, Head of Awareness and Research at Ontinet —ESET Spain— (a professional with more than 16 years of experience in cybersecurity), it is very curious to receive a message associated with Dropbox about a stored file, which is a resignation letter. A huge popular topic in recent months due to what is happening in the United States with the “great resignation,” where many employees have left their jobs for various reasons.

So, it is not surprising to receive an email of this nature, in addition to the fact that it will obviously attract attention and capture users’ curiosity. One of the reasons why ESET decided to investigate this specific malicious email is that there is no attached file within the email, but rather a link that leads to a page well prepared to impersonate the Dropbox storage service.

When the user opens the page, their credentials are requested, and, since the mail normally arrives at the corporate account, a large part of the users enter that account’s data. A quick analysis of the domains that were used gives great proof of the true nature of this page. Despite having a valid certificate that shows the padlock in the address bar, it does not mean that there is security at said site.

In recent months, scams have grown through sites with good certificates because it is no longer difficult to obtain them, even for free. Be careful! The padlocks on the bar do not indicate a secure site but rather an encrypted connection, which is not the same thing. Other data that generates suspicion is that the website was registered a day before obtaining the certificate. The person who did it resides in Finland but the IP is supposedly hosted in Moscow.

In addition, the investigation revealed that the same IP has been creating domains using the name of the German hosting and mail provider Ionos, for which users of said service have already been alerted. As a final note, it can only be repeated that you must be very careful with emails that arrive and what they contain; a striking subject that arouses curiosity and can fool anyone.

Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.