Dropbox was the most impersonated company for phishing attacks
Threats / Dropbox was the most impersonated company for phishing attacks in H1 2018
12 October 2018
Dropbox, the popular file hosting service provider that allows users to store their files on the cloud and to synchronise such files across devices, was the most impersonated company for phishing attacks in the first half of 2018, research by security firm Webroot has revealed.
Dropbox replaces Google for the first time
As many as 17 percent of all phishing emails sent by fraudsters between January and June impersonated Dropbox, thereby ensuring that the company overtook Google to nab the unenviable top spot among global companies. Google was, for three straight years, the primary target of fraudsters until it was replaced by Dropbox.
The fact that 47.3 percent of cloud storage customers use Dropbox compared to 26.9 percent who use Google Drive and 15.3 percent who use OneDrive, the handsome market share may have certainly played a part in fraudsters using the firm’s brand name to phish targeted victims.
In its mid-year Threat Report, security firm Webroot revealed that phishing attacks increased by 60 percent in the first half of 2018, reinforcing the widespread belief that phishing continues to be the weapon of choice for hackers to infiltrate corporate networks.
“When a threat actor breaks into someone’s Gmail account, the potential reward may be limited to just one person’s data. However, with Dropbox, the reward could be much greater: consumer and business users store tax, financial, personal, and business information in Dropbox.
“With the increasing prevalence of corporate Dropbox accounts, the payoff grows exponentially. Gaining access to a corporate Dropbox account could also expose cryptokeys, unlocking a massive amount of mission-critical and highly sensitive data,” the firm added when explaining why fraudsters are switching from targeting Google to Dropbox.
The impersonation of Dropbox by malicious actors isn’t a new phenomenon but has been practiced for years. Back in 2015, threat intelligence analysts from security firm FireEye discovered a spear phishing campaign that targeted Hong Kong-based media organisations and involved the delivery of a malware payload called LOWBALL into targeted systems.
LOWBALL used Dropbox’s cloud storage services to mask its activity from network defenders, delivering malware that allowed an uncategorised APT group dubbed [email protected] to collect information from victims before delivering a second stage malware, BUBBLEWRAP, to victims after verifying that they were the intended targets.
Cryptomining is now the number one web-based threat
However, Webroot also revealed that phishing attacks form less than 1 percent of all web-based threats, with malware (52 percent), cryptojacking (35 percent), and botnets (12 percent) forming a massive majority of sich threats. In fact, cryptomining replaced ransomware as the number one web-based threat in the first half of 2018 as cryptomining is considered more profitable and less risky for hackers.
“Very profitable yet with a minimal criminal footprint, cryptomining works on any device—not just computers and phones, but even IoT devices like routers and TVs. Some website owners voluntarily participate in cryptomining, seeing it as an easy way to generate revenue to pay their server costs without bombarding site visitors with annoying banner and sidebar ads.
“However, others carry out cryptomining without letting the visitor know. In either case, it may be largely invisible to the end user, who likely won’t notice a small spike in their electric bill. But for an organization, power bills can skyrocket, especially when criminals employ scaling, i.e., keeping the drain on the CPU minimal when a keyboard or mouse is being used but scaling up to 100% at other times,” Webroot added.