For the last few months, a number of phishing campaigns have been utilizing the free file-sharing platform, Dropbox, to distribute malware to hundreds of thousands of PCs. Disguising itself as a fax notification or voice message, the email contains a link to a publicly-accessible Dropbox location containing an infected executable file. The actual payload of these campaigns vary, but two prominent examples are that of Dyre and CryptoWall.
It remains to be seen whether more malware will be distributed in this manner, but the possibility is likely — you should act to protect yourself and your institution from any threat, and it would be wise not to overlook the possibility of Dropbox to act as a vector for infection like any other.
In many instances, the campaign deploys a variant of CryptoLocker, which proceeds to encrypt large numbers of files on the infected computer — these files are then mathematically protected from their owner, unless a bribe in the area of $500-$1000 is paid to regain access to them. Once encrypted, these files can only be regained through an unaffected backup, paying the ransom, or possibly through advanced computer forensics.
On the other hand, we have the Dyre trojan: it injects code into a target’s web browser, enabling them to sniff out online banking credentials from a range of institutions, ferrying them off as potential targets for identity theft. Dyre can operate in common browsers including Chrome, Firefox, and Internet Explorer. Note that even if your institution is not explicitly targeted by Dyre today, that may not be true forever. Theoretically, Dyre could be retooled to target much more information than it presently does.
The commonality between these two threats is in their hosting mechanism: Dropbox. Disguised in a cleverly-worded email campaign, the intended target must click on a link which points to the malware, and this link itself is somewhat predictable.
The reason it works is that many enterprises allow Dropbox through their networks. If they’re looking for bad domains, they’re not looking for dropbox.com because everyone and their uncle uses it — Ronnie Tokazowski
Blocking Dropbox Emails
If you know that no employee should be accessing files shared publicly from Dropbox, or have the capability to whitelist such activities where they occur, you can use your email filtering system to block messages which contain links to the following locations:
Blacklisting Dropbox Domains
Similar to the email strategy, you can use your existing proxy or web filtering platform to limit access to those locations listed above.
Train your Users
Ultimately, this infection vector relies on the assumption that somewhere, someone will click on the link and run the infected program. You can help to prevent this by training your users on how to spot and ignore fraudulent emails, why they should not download strange attachments, and what to do when some application requests permission to run or to elevate (UAC). Washington State University has a short list of guidelines to help prevent infection from email.
While both of these threats are currently propagating mainly through Dropbox, be aware that there exist many competitors and alternatives, any of which may potentially be used by a malicious party for the delivery of a Trojan or other piece of malware. Cubby, one such alternative, has already been detected as a source of Dyre, and the list may grow in the future.
You should examine the potential risk of someone downloading content from these sites in much the same way that you examine any risk, and use the tools at your disposal to limit that risk wherever possible, whether by blacklisting the domains, enforcing firewall-level antivirus scans, blocking executable downloads, or any other appropriate means.