Dropbox can be a recipe for security governance problems

A new phishing campaign on Dropbox has been discovered.

Dropbox announces business solution and single sign-on option
Dropbox announces business solution and single sign-on option

Ever since Dropbox - the first widely available cloud storage operation - appeared in September 2008, the service has been something of a mixed blessing for companies.

On the one hand, the terms and conditions of the freemium file hosting service mean the files are ostensibly owned by Dropbox, and on the hand, most of the service's subscribers are free users, making use of the many gigabytes of storage on the service.

In July 2012, Dropbox revealed that an employee's account had been hacked, resulting in a number of Dropbox users being spammed by email. And in March 2013, users also reported additional waves of spam resulting from the July 2012 email leakage.

One problem with Dropbox, is that it is frequently the subject of phishing and related scams.

According to Ronnie Tokazowski, a senior researcher with PhishMe, the anti-phishing training specialist, after dissecting a recent Dropbox phishing scam, he says that it is now possible to identify a `phish' from a legitimate email.

He says that the five attachments seen in a recent Dropbox phishing scam disguised themselves to be from several reputable UK organisations, all claiming to be from Companies House in the UK, the Royal Bank of Scotland and HSBC.

If users click on the link, he notes in his analysis, they are directed to Dropbox where they can download a small zip file which contains an executable masked as an .scr file, or a Windows screen saver file.

"The `cool' thing is that Windows treats .exe and .scr files the same way, so you simply have to rename an .exe to .scr," he says, adding that, if you are performing incident response, you can identify fake Dropbox emails by searching for partial subjects.

You can also, he adds, check proxy logs for Dropbox patterns similar to `dl.dropboxusercontent[d]com/s/*/*.zip?dl=1&token_hash=*&expiry=*,' and watch for unknown screen savers executing on endpoints

Steve Smith, UK managing director with Pentura, the security consultancy, said that, since Dropbox is the leading file storage and sharing application in business, it comes as no surprise that  links on the service are being used as an attack vector to try and harvest user details.

"User education about phishing exploits is key to reducing the risk of breaches - and as phishing tactics evolve, employees need to be kept up to date about what they should watch out for," he explained. 

Sarb Sembhi, an analyst and director of consulting with Incoming Thought, meanwhile, says that, whilst many organisations have not had any security problems with Dropbox - either directly or via phishing attacks - there is a strong argument to lock down the corporate usage of free cloud services in favour of paid-for facilities, where you have a well-defined service level agreement, and you know precisely where the data is stored.

"One alternative approach involves using multiple free and paid-for services. I – for example - use four distinct services and choose to use each one based on the level of security the data being stored needs, and how long I want to store the data. You have to perform an effect risk analysis on each of the services you plan on using," he said.

Sembhi, who is also a leading light in ISACA, the not-for-profit IT security association, says there can also be a security issue with some free cloud data services which `fingerprint' a given file and, where more than one person stores that file in their box, only one master copy is actually stored.

This, he says, creates problems if one person modifies the file, as that one copy can often be shared between multiple users.

Sign up to our newsletters