A multistep phishing scheme aimed at employees that process financial documentation has been discovered by Kaspersky. 

 

The scheme begins when victims receive an email from the legitimate address of an auditing firm. This initial interaction is intended to make the recipient less suspicious: like a preparatory step to ease into the main fraudulent activity. 

 

Then a notification from the Dropbox service follows, containing malicious links to archives where cybercriminals have uploaded phishing files designed to steal credentials.

 

Social engineering tactics

The first step involves victims receiving emails purportedly from a legitimate auditing firm. These emails are sent from authentic address, which has most likely been hijacked by attackers. They employ social engineering tactics to lower victims’ guard and prepare them to receive a Dropbox archive.

 

“The email appears legitimate from both a human standpoint and in terms of protection software. It contains a plausible cover story that an official audit company has information for the recipient, complete with a disclaimer regarding sharing confidential information. In addition, the email contains no links or attachments and originates from an easily searchable company address, making it nearly impossible for a spam filter to detect,” explains Roman Dedenok, a security expert at Kaspersky.

 

The only suspicious trait in this email is that the sender uses “Dropbox Application Secured Upload”. This service doesn’t exist. Although files uploaded to Dropbox can be password-protected, nothing more can be done. 

 

Following this email, the perpetrators send their victims an official Dropbox notification. If the recipient is already primed to respond by the initial message, there is a higher likelihood they’ll follow the link to review the document.--TradeArabia News Service