Announcements
Known issues updated. Learn more

default

no

We got a phishing email and our account was affected. How did this happen and what can we do?

New member | Level 2

TLDR:

  • Boss clicked on pdf link in dropbox email from recognised address
  • 1 week later spams a similar link from his dropbox account
  • Recipient emails have been harvested from our Outlook Exchange system

So hundreds of people FROM OUR OUTLOOK EXCHANGE directory just got spammed FROM the CEO's DropBox account. 

Yes we checked the email headers, it wasn't a spam email dressed up to look like a DropBox email it was legit from within his (free) account. 

We have been able to login via the app and remove the file (I.T. forgot to look up who it was sent to first so we coudn't send an apology / ask everyone to stop calling us) but no doubt it has spread. 

SO the CEO clicked on a similiar dropbox originated file link from someone last week, so no mystery as to how it came about. What I am baffled by is how it is possible that it was able to find a list of ALL our outbound email addresses, from all the accounts in the building, and send off email FROM WITHIN THE CEOs DROPBOX account? 

These aren't even contact list email addresses, so of these have only ever appeared in BCC fields! 

I.T. has scanned the CEOs computer and found NO Malware, so we don't even know what we need to tell the poor people who have clicked on the link before we managed to delete the file. We don't know what to look for...

DropBox have estimated a timely 72 hour response time :( , so anyone with any intel on what this is, how it jumped in to and then out of exchange with a bunch of email addresses and where it might be hiding on the system would be our personal hero right now. 

If DropBox picks up on this: 
We can't get into the CEOs account via browser, retrieve password not working. We were only able to delete the PDF becuase he was still logged into the app. Can you get us in? 

We would love to be able to email everyone who the PDF was shared with but I.T. deleted it and removed it from the trash. 

If you can let us know how this happened on a technical level that would be great..

3 Replies

Re: Malware attack! A) Be warned!!! B) How does this happen?

Dropboxer
Hey @Ben23, I understand that this isn’t an easy issue to tackle; I’ll try to do my best to trace back what’s happened previously & untangle the knots! In order to further advise as efficiently as possible, would you mind clarifying a few details for me, just so as to make sure I have a clear understanding of the issue at hand? 
 
More information
#1. Did the email come from an official Dropbox domain
#2. Could you possible clarify how your CEO’s Dropbox account got involved in the spam attack?
Was the initial .pdf shared perhaps? 
#3. If your IT department hasn’t located a virus that could have affected your system, then it looks like you’re no longer influenced. Is that in any way connected to your CEO’s inability to log in to his/ her account? What isn’t working when they’re trying to reset their password Ben?
Following, kindly note that we work as diligently as possible, however our expected response time may differ according to the plan attached to your account. Even so, since I understand your need to pursue a resolution as quickly as possible, I’d happily follow-up on your open ticket internally. As I haven’t located an open support request for the email address connected to your Community profile however & you’ve mentioned that you’ve contacted us already, could you include a ticket# either in your next reply here?
 
(Note: Your ticket number should be a 7-digit number, which allows us to look for your ticket on our system. You should be able to see it in the email heading that you receive as soon as you submit your request.)
 
Once I have these details, I’ll focus my attention on the matter at hand a bit closer. Thanks in advance for the time you’re devoting to gather this info for me & I’ll be awaiting your next message on this discussion Ben! 

 


Jane
Community Moderator @ Dropbox
https://dropbox.com/support


 


Heart Did this post help you? If so please give it a Like below. 
White check mark Did this post fix your issue/answer your question? If so please press the 'Accept as Best Answer' button to help others find it.
Arrows Counter Clock Still stuck? Ask me a question! (
Questions asked in the community will likely receive an answer within 4 hours!)

Reply
Loading...

Re: Malware attack! A) Be warned!!! B) How does this happen?

New member | Level 2

Hey Jane, 

Thanks for your follow up and many apologies for the delayed reply; in regards to your question it appears to be a hack of the Exchange Server and a guess that the password for his DropBox and O365 was the same. 

I will stress that it is still relevant due to the repeated MO involving DropBox. 

This from our IT Helpdesk to further explain:

We've been working through the logs this afternoon and can now confirm what occurred.

We can confirm that CEOs Office 365 account was compromised at 8:59am this morning with an unknown user from South Africa logging in. Once they had access to the O365 account, they also had access to all his contact lists.

At 10:57am they have set a rule on the mailbox to move all mail from the Inbox to the "RSS Subscriptions" folder.
Once this rule was in place, they were able to access his Dropbox account, and in doing so shared out a file from another account as CEO to his entire contact list.
This was the email that was then received by everyone and I can confirm originated from Dropbox's servers based off the mail headers.

Prior to me talking to CEO when this all occurred, he had already reset his password which also updated O365, effectively locking them out.

Regarding the Dropbox account - we are still waiting to hear back from their support in order to get the Password Reset email through so we can secure that part. As it is a free account we are unable to contact them via phone - that is only an option for Business plan accounts.



In regards to your questions Jane:
1. Yes, we now know how

2. As above but not that the PDF did not exist proir to the hack, the perpetraors set it up - we still don't know what it does. IT didn't think it allowed key logging even though the CEO clicked on an identical PDF link in a DropBox email from someone else. Still a mystery if there was a direct link between the 2. 

3. As above explains the absence of Malware or Viruses. IT was able to access his account via the desktop app that was still signed in. One thing that IT could have done better that I will share is this: as soon as they logged in to the account they deleted the PDF file before checking who it was shared with, getting this list would have allowed us to send out an email warning those who where sent the spam that they need to change their passwords (and we are sorry, please stop calling us) 

I recieved a similar email a couple of days later from the DropBox of the company that sent our CEO the original dodgy PDF link. I have never had and contact with them before so they are obvioulsy compounding their spam lists. 

The naming format for the PDF was consistant: Name of Company Payment and Draft Proposal.pdf and indicated that the sender had "shared this file with you" in the standard DropBox share delivery. 

 

 

Reply
Loading...

Re: Malware attack! A) Be warned!!! B) How does this happen?

Dropboxer
Thanks for keeping in touch with me here with this in-depth explanation @Ben23
 
While I’ve now run a quick check on our system & I could see that your report has been reviewed by our team experts, your last message makes me think that your IT department has got the situation under control, so hopefully this hasn’t affected your CEO’s machine further.  
 
Even so, it would be worth noting that our specialized team members are gathering & submitting reports like yours, so all your cooperation throughout doesn’t go unnoticed Ben. Simply put, everyone else visiting this thread will be aware of all the troubleshooting you've tried on your end (which is great, as you'll save them some time digging around).
 
At this point, let me re-iterate that this is a direct point of contact with me, so please feel free to get back in touch in case you need any additional assistance in any way & I’ll make sure to check back with you asap. Have a wonderful weekend ahead! 

 


Jane
Community Moderator @ Dropbox
https://dropbox.com/support


 


Heart Did this post help you? If so please give it a Like below. 
White check mark Did this post fix your issue/answer your question? If so please press the 'Accept as Best Answer' button to help others find it.
Arrows Counter Clock Still stuck? Ask me a question! (
Questions asked in the community will likely receive an answer within 4 hours!)

Reply
Loading...
Syncing and uploads

Have a question? Our Dropbox Community is here to help!

Post your question or search for an answer below.


Learn more about using the Community by reading our Community Guidelines.


Hi anonymous,

If you need more help you can log a ticket with our Support Team here (expected response time 24 hours), or contact us on Twitter or Facebook.

For more info on available support options, see this article.

If you found the answer to your question, please 'like' the post to say thanks to the user!

We got a phishing email and our account was affected. How did this happen and what can we do?
249 Views
3 Replies
0 Likes
Who's talking
Top contributors to this post