{"id":92024,"date":"2023-05-20T08:59:45","date_gmt":"2023-05-20T08:59:45","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4095502"},"modified":"2023-05-20T08:59:45","modified_gmt":"2023-05-20T08:59:45","slug":"how-business-email-compromise-attacks-emulate-legitimate-web-services-to-lure-clicks","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92024","title":{"rendered":"How business email compromise attacks emulate legitimate web services to lure clicks"},"content":{"rendered":"<div id>\n<p> New BEC cyberattacks use phishing with a legitimate Dropbox link as a lure for malware and credentials theft. <\/p>\n<\/div>\n<div id>\n<figure id=\"attachment_4052820\" aria-describedby=\"caption-attachment-4052820\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4052820\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/05\/how-business-email-compromise-attacks-emulate-legitimate-web-services-to-lure-clicks.jpg\" alt=\"This illustration shows a lock, unlocked over a person at a keyboard.\" width=\"1000\" height=\"700\"><figcaption id=\"caption-attachment-4052820\" class=\"wp-caption-text\">Image: Adobe Stock.<\/figcaption><\/figure>\n<p>Threat actors have added a new wrinkle to traditional <a href=\"https:\/\/www.techrepublic.com\/article\/cybersecurity-bec-attack-mimics-vendors\/\">business email compromise<\/a> cyberattacks. Call it BEC 3.0 \u2014 phishing attacks that bury the hook in legitimate web services like Dropbox.<\/p>\n<p>Avanan, a unit of Check Point Software, has tracked a recent example of this attack family, in which hackers created free Dropbox accounts to grab credentials or hide malware in legitimate-looking, contextually relevant documents such as potential employees\u2019 resumes.<\/p>\n<p>The attack, the security firm discovered, started with the actors sharing a PDF of someone\u2019s resume via <a href=\"https:\/\/www.techrepublic.com\/resource-library\/company\/dropbox\/\">Dropbox<\/a>. The target can\u2019t view the document unless they Add To Dropbox. The link from Dropbox looked legitimate, making the exploit more difficult to spot.<\/p>\n<p>The phishing exploit involves these steps:<\/p>\n<ul>\n<li>First, a user clicks the link in a legitimate notification from Dropbox to a resume and accesses a page hosted on the file-sharing service.<\/li>\n<li>The user must then enter their email account and password to view the document. This means that the threat actors have access to email addresses and passwords.<\/li>\n<\/ul>\n<p>On this page hosted on Dropbox, users are asked to enter their email account and password to view the document, giving threat actors user credentials.<\/p>\n<p>Once a user enters their credentials, they are directed to a fake Microsoft OneDrive link. By clicking on the link, users are given a malicious download.<\/p>\n<p>\u201cWe\u2019ve seen hackers do a lot of BEC attacks,\u201d Jeremy Fuchs, a cybersecurity researcher\/analyst at Avanan, said in a <a href=\"https:\/\/www.avanan.com\/blog\/leveraging-dropbox-to-soar-into-inbox\">report<\/a> on the attack. \u201cThese attacks have several variations, but generally they try to spoof an executive or partner to get an end user to do something they don\u2019t want to do (like pay an invoice to the wrong place),\u201d he said.<\/p>\n<p><strong>SEE: Another hide-the-malware attack focuses on <a href=\"https:\/\/www.techrepublic.com\/article\/infoblox-discovers-decoydog-exploit\/\">DNS<\/a><\/strong> (TechRepublic)<\/p>\n<p>\u201cLeveraging legitimate websites to host malicious content is a surefire way to get into the inbox,\u201d he said. \u201cMost security services will look at the sender \u2014 in this case, Dropbox \u2014 and see that it\u2019s legitimate and accept the message. That\u2019s because it is legitimate,\u201d he added.<\/p>\n<p><a href=\"https:\/\/www.techrepublic.com\/article\/phishing-attacks-spoofing-credit-unions-steal-money-account-credentials\/\">Avanan<\/a> said preventing these stealth attacks requires a number of defensive steps, including scanning for malicious files in Dropbox and links in documents, as well as replacing links in the email body and inside attachments. The key to education against these social engineering attacks is context, according to Fuchs: \u201cAre resumes typically sent via Dropbox? If not, it may be a reason to contact the original sender and double-check. If they are, take it one step further. When you log into Dropbox, do I have to log in again with my email?\u201d<\/p>\n<p>Avanan said the researchers reached out to Dropbox on May 15 to inform them of this attack and research.<\/p>\n<h2>Linktree also used to grab credentials<\/h2>\n<p>Earlier this month, Avanan discovered a similar hack using the social media reference landing page Linktree, which is hosted on sites like Instagram and TikTok. Similar to the Dropbox attacks, hackers created legitimate Linktree pages to host malicious URLs to harvest credentials.<\/p>\n<p>The attackers sent targets spoofed Microsoft OneDrive or SharePoint notifications that a file has been shared with them, instructing them to open the file, according to Avanan. Ultimately, the user is redirected to a fake Office 365 login page, where they are asked to enter their credentials, where their credentials are stolen.<\/p>\n<p>\u201c[Users] should think: Why would this person send me a document via Linktree? Most likely, that wouldn\u2019t be the case. That\u2019s all a part of security awareness \u2014 understanding if an email or process seems logical,\u201d said Fuchs.<\/p>\n<p>In these cases, the firm suggests that recipients:<\/p>\n<ul>\n<li>Always check the sender\u2019s address before replying to an email.<\/li>\n<li>Stop and think if the medium being used to deliver a file is typical.<\/li>\n<li>When logging into a page, double-check the URL to see if it\u2019s Microsoft or another legitimate site.<\/li>\n<\/ul>\n<h2>BEC attacks using legitimate sites may escalate this year<\/h2>\n<p>Fuchs said there are no obvious visual cues to tip off attack recipients to BEC exploits. \u201cAlthough if you were to sign into the Dropbox page, you\u2019d see that there\u2019s a OneDrive logo and link,\u201d he said. \u201cEagle-eyed users should notice that discrepancy and think\u2014why would there be two competing services on one page?,\u201d he added.<\/p>\n<p>He predicted that these attacks will escalate. \u201cAny popular service that\u2019s legit can potentially be used as a vehicle to deliver this type of malicious activity. That\u2019s why we expect it to take off in the near future,\u201d he said, adding that the exploit has been used tens of thousands of times. \u201cWe believe this will really take off in volume in the second half of the year,\u201d he said.<\/p>\n<p> <!-- default newsletter at the end --> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>New BEC cyberattacks use phishing with a legitimate Dropbox link as a lure for malware and credentials theft. Image: Adobe Stock. Threat actors have added a new wrinkle to traditional business email compromise cyberattacks. Call it BEC 3.0 \u2014 phishing attacks that bury the hook in legitimate web services like Dropbox. Avanan, a unit of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":92025,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,783,56,765,696,152,631,113,287],"tags":[],"class_list":["post-92024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-cloudsync","category-cybersecurity","category-dropbox","category-malware","category-microsoft","category-microsoft-365","category-phishing","category-security"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92024"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92024\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92025"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}