Beware of phishing emails using Dropbox links

Several weeks ago, I wrote a blog entry about phishing emails using zip files with executable files attached to them. Using PhishMe Reporter, several of our users (yes, we use our own tools internally) successfully identified a new round of phishing, this time using Dropbox links in the body.

This round of phishing contains the following subjects:

• INCOMING FAX REPORT: Remote ID: 385-567-7335 (Figure 1)
• FW: Case – 1045890 (Figure 2)
• Outstanding invoice (Figure 3)
• Payment Advice – Advice Ref:[GB675969802948] / CHAPS credits / Customer Ref:[pay run 29/05/14] (Figure 4)


Figure 1 – Incoming Fax Phishing Email


Figure 2 – Case Phishing Email


Figure 3 – Outstanding Invoice Phishing Email


Figure 4 – Payment Advice Phish

If a user clicks the link, they are directed to Dropbox where they can download a small zip file which contains an executable masked as an .scr file, or a Windows screen saver file. The “cool” thing is that Windows treats .exe and .scr files the same way, so you simply have to rename an .exe to .scr.

As of the time of writing, the links which were sent to our users have been removed by Dropbox. For those who would like to create signatures, here are the links we received:

First wave:https://dl.dropboxusercontent[d]com/s/yxkpsv2u9rojc7v/

Following waves:

Directed to:

If you are performing incident response, here’s a few ways you can spot these:

1. Search by partial subjects. (Numbers can change)
2. Check proxy logs for dropbox patterns similar to “dl.dropboxusercontent[d]com/s/*/*.zip?dl=1&token_hash=*&expiry=*
3. Unknown screen savers executing on endpoints

We were able to recover one of the samples, and the VirusTotal link is here:

If you have seen other variants, let us know @PhishMe!

An inside look at Dropbox phishing: Cryptowall, Bitcoins, and You (updated)
What do Takedown Vendors and Fire Hydrants Have in Common?