With threat investigator Greg C. and threat analyst Todd S.
What the Email Looks Like
The subject line is "Please verify your email address " followed by your actual email address (rather than your name). The message claims to be from Dropbox and refers to you again by your email address. It then asks you to verify your email address before your "signup" is complete, by clicking a large "Verify your email" button. Do NOT click it.
This might trick not only people who have Dropbox accounts, but also those who don't and might wonder if a scammer signed up in their name. If you're looking at the email in a browser, hovering over the button reveals a suspicious URL (not dropbox.com) that ends in "dropbox.html". Someone in a rush or not paying attention might click it.
How We Blocked this Dropbox/Locky Spam
Over 1.4 million of these Dropbox Locky emails hit our filter servers, with an amazing blocking rate of over 99.9999%. Our customers didn't have to do anything to stop it.
Several complex phrase filters are blocking it, as well as at least one content filter that's designed to block fake Cloud-based storage attacks. We already had filters in place from previous campaigns that blocked this new one, something SpamStopsHere does often. Nonetheless, we added some more filtering that should help block future variations when they hit.
Important Threat Indicators
Regardless of how good (or not) your spam filter is, your coworkers should always be on the alert for signs that an email is spam. This campaign includes some indicators:
- Unexpected “Verify your email” for an account you may or may not have
- Greeting uses part of your email address, rather than your name
- Hovering over the “click-me” button reveals a non-dropbox URL
How the Ransomware Infects Your Computer
The “Verify Your Email” button goes to a malicious file called “dropbox.html” on likely a hacked website. The domain varies from email to email, so just blocking that URL won’t do much. The dropbox.html landing page displays “Please wait while we prepare your files for download...”
Depending on your browser and security settings, you may or may not see a download warning like the following:
Locky Ransomware Infection and Encryption
This new Locky variant is using the ".lukitus" extension and changes the Windows background image. As with past Locky variants, the ransomware tells you to install a Tor Browser and navigate to a .onion URL to pay the ransom using your “personal identification” code:
To find out more about SpamStopsHere, check out our simple pricing and start a FREE 30-Day trial, visit our website, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email.. We're always here. 24/7/365.