Fake Dropbox Email Phishing Scam Alert - April 2017

These fake Dropbox emails look legitimate, but they're both phishing scams that work differently. One tries to steal your Dropbox password with an order request that looks like it's from an actual company. The other tries to steal your email password with a fake file sharing request. Help coworkers recognize phishing attacks and get tips on blocking these in your spam filter.

With help from developer Greg C. and threat analyst Todd S.

Dropbox email spam is very common. Some of these scams try to lure you into downloading a virus attached to or linked from the email. Others exploit the popularity of the file sharing service to get you to provide your username and password with a fake login page. The two we're discussing here are of the phishing variety.

Fake Dropbox Message Center Email

The first phishing spam we're highlighting this week is a variation on email scams that have apparently been impersonating a trading company since at least May of last year. Here's what it looks like:

Fake Dropbox Message Center Email Links to a Phishing Login Page

How It Works

This has some obvious signs of a phishing scam. First, it does not address you personally. Instead it uses your actual email address. Also, the email sounds urgent, trying to get you to react quickly without thinking and click on the button. Finally, if you hover over the button, your browser will display the link destination (what we call the spammy URL) at the bottom of the window. The URL does not belong to the alleged sender.

There are also some peculiar features to this email that you don't always see in phishing scams. Many of them are addressed to "Dear Customer". This one uses your actual email address. While that's more personalized, it's not your name (which would appear in a "spear" phishing scam). This is clever, because it makes the email seem personal without having to harvest any more of your information. Also, when you hover over the button, the link that your browser reveals ends with a URL parameter:

.../index.php?email=John@example.com

Do not click the link. It takes you to a very realistic but fake Dropbox login page:

Phishing Login Page for Fake Dropbox Message Center Email

Note that your email address is already entered in the Address box. That's what the URL parameter does. It might also provide analytics info about you to the spammer.

If you have business with the trading company this email appears to come from, contact them safely (not using contact info from the email) before doing anything else. Regardless, do not go to this page or enter your password. Doing so would give the spammer your Dropbox login credentials.

How We Blocked this Fake Dropbox Email

We automatically blocked this campaign as soon as it hit, using our proprietary content filter that determines if a server is owned by a spammer. We added the sender's IP address to our global blacklist. Any email coming from that server will be blocked.

Fake Dropbox File Sharing Email

The second phishing spam this week is a little different. It tries to steal your email login and password. The fake email that you get looks like it comes from someone trying to share a Dropbox file with you:

Fake Dropbox file sharing email tries to steal your email username and password

How it Works

Hovering over the button (do NOT click it) reveals the malicious URL at the bottom of your browser window. That would take you to a "Dropbox Business" landing page with fake links to popular email providers (like, Google, Yahoo, and Office 365). Here's what it looks like:

Fake Dropbox Business landing page with links to fake email login pages

If you were to click any of those links (don't), a window pops up with a fake email login. Here's an example:

Fake Gmail login page will steal your username and password

That's the phishing page. The spammer will steal your username and password and login to your account, sell the information on the black market or worse.

Employee training tip: The email login request is a big hint that this is a phishing scam. No legitimate company would ask for the password to your email account. Train your coworkers to recognize that.

How We Blocked this Dropbox Spam

We're blocking this Dropbox spam in several ways. That helps us block not only emails that match it exactly, but also future variations.

  • URL Filter: We did not block this campaign using a blacklist, because it's coming from a legitimate server. That's a good example of why you need to be careful using automated Real-Time Blacklists (RBLs). The server probably sends a lot of legitimate email and you would not want to block everything coming from it. Instead, we blocked it based on the URL link in the email, which is owned or controlled by the spammer. Since that will never be a legitimate URL, it's safe to block it that way, with very little chance of a false positive.
  • Phrase Filter: We also added a complex phrase that matches this email to our content filter. We only use long phrases, not single "trigger" words, to prevent false positives. Your spam filter might let you do the same.
  • Dropbox Spam Filter: Finally, we have a proprietary content filter that we designed just to block Dropbox spam. So, we updated that filter with details from this campaign, to help us automatically block future variations.

About SpamStopsHere

SpamStopsHere blocks 99.5% of spam with zero-hour malware protection and almost no false positives (<0.001%) without any customer tuning or learning period. Our live analysts blocks the latest threats 24/7/365 for our global customers. It also comes with our brilliant 24/7 live support for all issues via phone, chat or email. New customers can try SpamStopsHere free for 30 days.