Spambox: Dropbox and Spam

Ugh

If you decide not to read any further than this paragraph, at least…Do not click on links in emails to “shared Dropbox files” if (1) you are not expecting to receive a shared file, and (2) the link doesn’t resolve to Dropbox.

The Suspicion Is Killing Me

I recently received an email indicating someone I know shared a file with me on Dropbox, a popular cloud-based file storage solution.  I am a prolific Dropbox user and sharer of files—anyone who has travelled with us has probably received an email from Dropbox with a link to thousands of blurry, overexposed, pixelated photos of people engaged in all sorts of mischief and merriment.  

To balance my otherwise good-natured, bubbly, brilliant personality, I sustain a naturally untrusting, cynical, and suspicious attitude toward pretty much everything except dogs.  When I received the bogus Dropbox email, my spidey-sense told me something was off and my brain flashed “THIS IS BAD” in monstrous neon letters like a gaudy, sight-polluting, Tokyo billboard.

The email from a friend with the important bits obfuscated. Notice the Dropbox logo—looks official, doesn’t it?

A couple things were glaringly odd.  Although the email appeared legitimate, it came from a person from whom I don’t normally receive shared files and who has no reason to share files.  In addition, the email did not come from Dropbox.  Instead, it came directly from the email account of a friend.  Finally, the link to the shared files did not resolve to dropbox.  Note: I didn’t click on the link, but in fairness, I’m not certain if I had it would result in the sharing of anymore information than has already been disclosed by the various Experian, OPM, UBER, and [insert name here] breaches.

Other than having a friend actually using an AOL account—who still uses AOL?—here is a summary of the things that were unusual:

  1. The email didn’t come from Dropbox, but it was crafted to look like it came from Dropbox.
  2. I didn’t expect to receive shared files from this friend.
  3. The link to the shared files did not resolve to Dropbox.

All of which left me as suspicious as Poirot on a train.

A Far Cry From Legit

The email didn’t come from Dropbox, but it was disguised to look like a legitimate Dropbox email.  One can send an email to a shared file recipient via Dropbox, or a Dropbox user can create a link to the shared files and send it via a personal email account to one or more recipients.  In the latter case, an email from a contact simply contains a link as a URL—unless someone get’s fancy and creates a hyperlink of some text.  It is debatable which method is more secure and in fact, I would argue that either method can be exploited by a tech savvy attacker.  In either case, it is an indicator, an easy one to check, and can be considered along with other clues.

Notice the email address @aol.com—even though the email reads like it is from Dropbox.

Were You Expected?

As noted, I do share files—mostly the aforementioned blurry photos—via Dropbox; however, I do not share files without informing the recipient that I will be doing so.  This is perhaps the single easiest way to confirm the shared files and/or links to said shared files are legitimate—barring some unknown malware hiding within the files themselves, which while possible is highly unlikely given my penchant for virtual and physical security, which many might fairly describe as somewhat OCD in nature.  In this case the sender had no reason to share files and did not inform me either pre or post sharing that they would indeed be sharing files—which makes sense, since we know they didn’t share any files.

The Best Example of bURLesque on the Internet

The link to the shared files didn’t resolve to Dropbox.  Unless you are fairly confident in your ability to check where a link resolves, I don’t suggest attempting this on your own.  Hovering over a link in some browsers and email applications shows the actual Uniform Resource Locator (URL)—the technical term used by nerds for a hyperlink, which is another geeky term for a link.  In other cases, one might need to copy the link and paste it into a text editor to see the URL, or examine the raw HTML—another nerdy term—of the email.  Most of these options beg for mishaps such as accidentally clicking on the link, or involve knowledge beyond what most users maintain—which in many cases is limited to “click the link.”

The link to the supposed shared files didn’t resolve to dropbox, it resolved to a .pl domain. In today’s world of shortened URLs, identifying this clue can be complicated—sites like checkshorturl.com and Unshorten.It can help deobfuscate the actual URL.

Dropbox or Dropout?

There are probably some who will decide not to share or view shared files via Dropbox or any other cloud-based medium—yes, this type of scam can actually occur with almost any cloud provider.  Not using the cloud to share files or clicking on any links is certainly an option—akin to taking cold showers for fear of getting burned by overly hot water, but an option nonetheless.  But if you decide to stay on the interwebs instead of becoming a virtual hermit, a healthy awareness of basic online security is all most people need to stay safe.

Considering all the major breaches over the last 10 years it is as likely as not that some of our information is already compromised.  This is not to imply that we should treat the Internet like a virtual wild west, surfing willy nilly through the Tombstone’s of the web and following links like a posse on the trail of Billy the Kid.  The National Cyber Security Alliance (AKA Stay Safe Online) offers these tips based on the Stop.Think.Connect.TM Campaign:

  • When in doubt, throw it out.  Links in emails, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or – if appropriate – mark it as junk.
  • Think before you act.  Be wary of communications that implore you to act immediately, offer something that sounds too good to be true, or ask for personal information.
  • Make your password a sentence.  A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
  • Unique account, unique password.  Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
  • Lock down your login.  Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media. (Source: https://staysafeonline.org/stay-safe-online/online-safety-basics/spam-and-phishing/)
The marked up email with sketchy information highlighted.

AbUSERes

In conclusion, cybersecurity professionals, coding nerds, and tech geeks have a term for the most vulnerable, easily tricked, and ignorant component in the online technology schema: Users.  Most people have a tendency to trust others, especially those we consider friends—which, as noted in a previous post has it’s own meaning in today’s interconnected, familiar, virtual landscape.  But unlike the physical world, it is much easier for online nefarious actors to look like people we know.  Although we have little control over major information security breaches, there are some basic things we can do to protect ourselves.  Following a few simple rules can keep us from becoming the weakest link in the cybersecurity chain.


Mom taught us to share — don’t disappoint mom. Share this article.

If you like SPAM (SPAMchiladas, SPAMburgers, SPAMsserole), you enjoyed this article, or you’re just feeling left out, subscribe to be notified as new material becomes available.

Follow me on Facebook and Twitter.

Unless otherwise noted, I drew or took the photographs in the article—as lame as they may look.  Any resemblance to persons living or dead is just plain scary.  Copyright can be found here for my original work.  All other logos and graphics are the property of their omniscient creators.

Don't let the noisy interweb stifle your voice. Leave a comment.