Gone Phishing? The Security Risk in File Sharing Links
5 May 2017
Phishing. It’s a particularly nasty form of a cyber scam. The term is a play on the word “fishing,” in which, similarly, a lure is used to catch fish. Cyber attackers use phishing campaigns to send fraudulent email or text messages to people in an attempt to collect users’ account information or login credentials, or to drop malware on the victim’s computer. Security experts cite phishing as the leading means to plant destructive ransomware or malware on computers.
There are actually two types of victims of phishing attacks. One is the person who opens a phishing message, clicks on a malicious link and has credentials stolen or malware downloaded to his or her computer. Another type of victim is the company or organization whose brand is hijacked for the purpose of making a phishing campaign look legitimate, for example, package shipping companies like FedEx and UPS, e-commerce companies like eBay and Amazon, and government agencies like the Internal Revenue Service.
In the Phishing Activity Trends Report for the 4th quarter of 2016, the Anti Phishing Working Group reports an average of 318 organizations had their brands hijacked for phishing campaigns in that quarter alone. In some quarters, as many as 500 or more organizations have been “brand victims” of these malicious attacks.
File sharing companies are not immune to this brand hijacking. Both DropBox® and Google Docs™ brands have been spoofed multiple times in various phishing campaigns. The attackers use techniques to give the phony web pages the appearance of legitimacy, making it more likely to convince people to log in using their credentials from an email or a social network service.
Just recently a phishing campaign using the Google Docs brand reportedly went out to more than a million people. Here, the email recipient got a message saying they had been added to a Google Doc, and to click to access it. The person clicked the link and saw a legitimate account screen. After login, a malicious service called “Google Docs” awaited, asking for privileges to access the person’s account, contacts, password rests, emails – everything.
Google took swift action to neutralize this particular threat, but other scams spoofing the Google Docs brand are still active. In one phishing campaign, the intended victim is asked to enter their Gmail or other system credentials, which in itself is a suspicious process. Ordinarily a person can’t enter Google Docs using, say, a set of Outlook® credentials. An astute user might recognize this, but many people go ahead and enter their credentials without giving it much thought.
The Dropbox brand name is also abused frequently for phishing attacks. In a recent campaign using the Dropbox brand name, recipients received an email stating that a file has been shared with them via the Dropbox service, and they should use an email address to sign in to the service and view the file. The phony login page allows an intended victim to sign in using an existing Gmail, Yahoo, AOL, Outlook or other email account. This broadens the likelihood that the person uses one of these services and will attempt to log in to get to the file. In reality, the person is giving their credentials to a thief, and there is no file to view or retrieve.
Secure document services are another source of these malicious social engineering attacks. Security firm KnowBe4 reports there are active phishing campaigns using fake DocuSign® and Secure Adobe® PDF attachments trying to trap people into opening them up. By clicking on and opening an attachment, the person’s workstation gets infected with malware or ransomware.
These phishing scams are especially onerous because the campaigns abuse the very kinds of legitimate services that are intended to prevent people from experiencing file security issues. Workers are instructed to use secure file sharing services rather than security-challenged email, and to protect their documents using digital signatures. Then cyber criminals come along and undermine everyone’s faith in these important services by abusing a vendor’s good reputation for illicit profits.
The criminals behind phishing campaigns cast as wide a net as possible. That’s one of the reason they choose to spoof brands like Dropbox and Google Docs, which originated as consumer products and are used by hundreds of millions of users.
While there are technologies that can be applied to protect brands from being spoofed for phishing campaigns and to prevent phishing messages from landing in people's inboxes, they are not 100 percent effective, even when used properly. A critical defensive strategy is to teach people to be wary about anything that even hints at being suspicious, and to get familiar with the signs of a phishing attempt.
Here are some tips to avoid falling victim to a phishing attack involving popular file sharing service brands:
- Be wary of any unsolicited email message that contains instructions to open an attachment or click on a link to visit a website or retrieve a file. If you were not expecting such a message or file, contact the sender directly to ask if they actually sent it. If you don’t know the sender, this is a very big red flag.
- Be aware that phishing campaigns can spoof a sender name, making it look like someone you know sent the message. For example, your CFO’s name might be used in a message instructing you to transfer funds or issue a payment. Contact that person directly to verify the order.
- Be wary of emails that instruct you to view files on services you do not subscribe to, or that ask you to provide login credentials for different email providers. Google Docs will not ask for Microsoft® Outlook credentials to log in.
- Always hover your mouse over the URL of links contained in emails to check their destination address. If they look suspicious, don’t open them. To log in to a service like Dropbox, open a new web browser and type in the URL manually.
- Use strong passwords and choose a different password for each service that you use.
- Use two-step, or multifactor, verification for file sharing services that support it. Multifactor verification protects your account even if your password falls into the wrong hands.
- Report suspicious email messages to your company’s help desk or to the support center of the service brand in the message; for example, if the message appears to come from your bank but you think it’s a phish, contact your bank about the message.
- Talk to your company’s information technology department to see if they already have an enterprise-grade file sharing tool provisioned for employee use. If they do, then encourage your internal and external colleagues to collaborate with you there.
Unfortunately, times are such that people must be vigilant about messages, files and links that might present harm. Even trusted brands of file sharing applications can be hijacked for nefarious purposes. Keep your wits about you when working with such applications.
Todd Partridge is Vice President, Product Marketing at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management, and enterprise records management practices. In his previous role at OpenText, Todd held several global positions ranging from sales, marketing, product management, positioning and strategy.