BEC attacks emulate legitimate web services to lure clicks
New BEC cyberattacks use phishing with a legitimate Dropbox link to steal malware and credentials.
Threat actors have added a new wrinkle to traditional business email compromise cyberattacks. Call it BEC 3.0 – phishing attacks that bury the hook in legitimate web services like Dropbox.
Avanan, a unit of Check Point Software, tracked down a recent example of this family of attacks, in which hackers created free Dropbox accounts to obtain credentials or hide malware in legitimate-looking, contextually relevant documents, such as potential in employees’ resumes.
The security firm discovered that the attack began with actors sharing a PDF of someone’s resume via Dropbox. The recipient can only view the document after adding it to Dropbox. The link from Dropbox seemed legitimate, making the exploit harder to spot.
Phishing consists of the following steps:
- First, the user clicks on the link in Dropbox’s legal notice to the resume and is taken to a page on the file-sharing service.
- The user must then enter their email account and password to view the document. This means that threat actors can gain access to email addresses and passwords.
On this Dropbox-hosted page, users must enter their email account and password to view the document, thereby providing user credentials to threat actors.
After the user enters their credentials, it redirects them to a fake Microsoft OneDrive link. By clicking on the link, users will receive a malicious download.
“We’ve seen hackers commit a lot of BEC attacks,” said Jeremy Fuchs, cybersecurity researcher/analyst at Avanan. report on the attack. “There are many variations of these attacks, but they usually try to trick a manager or partner into forcing the end user to do something they don’t want to do (such as pay the bill at the wrong location),” he said.
SEE: Another attack that hides malware focuses on DNA (TechRepublic)
“Exploiting legitimate websites to host malicious content is a surefire way to get into your inbox,” he said. “Most security services look at the sender—in this case, Dropbox—and determine if it’s legitimate and accept the message. It’s because it’s legitimate,” he added.
Avanan said preventing these stealth attacks requires a number of defensive steps, including looking for malicious files in Dropbox and links in documents, as well as replacing links in email bodies and attachments. According to Fuchs, the key to educating against social engineering attacks is context: “Are resumes usually sent through Dropbox? If not, you may need to contact the original sender and double check. If so, take it one step further. When you sign in to Dropbox, do I have to sign in again with my email address?”
Avanan said researchers contacted Dropbox on May 15 to inform them of the attack and the research.
Linktree also captured the credentials
Earlier this month, Avanan discovered a similar hack using social media referral landing page Linktree, which is found on sites like Instagram and TikTok. Similar to the Dropbox attacks, hackers created legitimate Linktree pages to host malicious URLs to harvest credentials.
Attackers sent targets spoofed Microsoft OneDrive or SharePoint notifications that a file had been shared with them and instructed them to open the file, Avanan said. Finally, the user is taken to a fake Office 365 login page where they are asked to enter their credentials where their credentials are stolen.
“[Users] you have to think: Why would this person send me a document through Linktree? That probably wouldn’t be the case. It’s all part of security awareness — understanding whether an email or process looks logical,” Fuchs said.
In these cases, the company recommends that the recipient:
- Always check the sender’s address before replying to an email.
- Stop and think if the medium used to deliver the file is typical.
- When you sign in to a site, double-check the URL to make sure it’s from Microsoft or another legitimate site.
BEC attacks using legitimate sites may increase this year
Fuchs said there are no obvious visual cues that would direct attack recipients to BEC exploits. “Although if you were to log into the Dropbox page, you’d see there’s a OneDrive logo and link,” he said. “Eagle-eyed users should notice this discrepancy and think – why have two competing services on the same page?” he added.
He predicted that these attacks would increase. “Any popular, legitimate service can potentially be used as a tool to carry out this type of malicious activity. That’s why we expect it to pick up in the near future,” he said, adding that the exploit has already been used tens of thousands of times. “We think that will really pick up in the second half of the year,” he said.