With help from developer Greg C. and threat analyst Todd S.
Dropbox email spam is very common. Some of these scams try to lure you into downloading a virus attached to or linked from the email. Others exploit the popularity of the file sharing service to get you to provide your username and password with a fake login page. The two we're discussing here are of the phishing variety.
Fake Dropbox Message Center Email
The first phishing spam we're highlighting this week is a variation on email scams that have apparently been impersonating a trading company since at least May of last year. Here's what it looks like:
How It Works
This has some obvious signs of a phishing scam. First, it does not address you personally. Instead it uses your actual email address. Also, the email sounds urgent, trying to get you to react quickly without thinking and click on the button. Finally, if you hover over the button, your browser will display the link destination (what we call the spammy URL) at the bottom of the window. The URL does not belong to the alleged sender.
There are also some peculiar features to this email that you don't always see in phishing scams. Many of them are addressed to "Dear Customer". This one uses your actual email address. While that's more personalized, it's not your name (which would appear in a "spear" phishing scam). This is clever, because it makes the email seem personal without having to harvest any more of your information. Also, when you hover over the button, the link that your browser reveals ends with a URL parameter:
Do not click the link. It takes you to a very realistic but fake Dropbox login page:
Note that your email address is already entered in the Address box. That's what the URL parameter does. It might also provide analytics info about you to the spammer.
If you have business with the trading company this email appears to come from, contact them safely (not using contact info from the email) before doing anything else. Regardless, do not go to this page or enter your password. Doing so would give the spammer your Dropbox login credentials.
How We Blocked this Fake Dropbox Email
We automatically blocked this campaign as soon as it hit, using our proprietary content filter that determines if a server is owned by a spammer. We added the sender's IP address to our global blacklist. Any email coming from that server will be blocked.
Fake Dropbox File Sharing Email
The second phishing spam this week is a little different. It tries to steal your email login and password. The fake email that you get looks like it comes from someone trying to share a Dropbox file with you:
How it Works
Hovering over the button (do NOT click it) reveals the malicious URL at the bottom of your browser window. That would take you to a "Dropbox Business" landing page with fake links to popular email providers (like, Google, Yahoo, and Office 365). Here's what it looks like:
If you were to click any of those links (don't), a window pops up with a fake email login. Here's an example:
That's the phishing page. The spammer will steal your username and password and login to your account, sell the information on the black market or worse.
How We Blocked this Dropbox Spam
We're blocking this Dropbox spam in several ways. That helps us block not only emails that match it exactly, but also future variations.
- URL Filter: We did not block this campaign using a blacklist, because it's coming from a legitimate server. That's a good example of why you need to be careful using automated Real-Time Blacklists (RBLs). The server probably sends a lot of legitimate email and you would not want to block everything coming from it. Instead, we blocked it based on the URL link in the email, which is owned or controlled by the spammer. Since that will never be a legitimate URL, it's safe to block it that way, with very little chance of a false positive.
- Phrase Filter: We also added a complex phrase that matches this email to our content filter. We only use long phrases, not single "trigger" words, to prevent false positives. Your spam filter might let you do the same.
- Dropbox Spam Filter: Finally, we have a proprietary content filter that we designed just to block Dropbox spam. So, we updated that filter with details from this campaign, to help us automatically block future variations.
SpamStopsHere blocks 99.5% of spam with zero-hour malware protection and almost no false positives (<0.001%) without any customer tuning or learning period. Our live analysts blocks the latest threats 24/7/365 for our global customers. It also comes with our brilliant 24/7 live support for all issues via phone, chat or email. New customers can try SpamStopsHere free for 30 days.