I’m confused. I got an email saying I had some pending documents to review on Dropbox, but when I click on the link, I am prompted for a Rackspace login, not taken to Dropbox. What’s going on?
Like parents would say to a child before they head off into the jungle or the police chief says to her officers at the end of morning briefing: “be careful out there!” That’s exactly my recommendation to you too with everything online, because what you’ve encountered is what’s known as a phishing attack. It’s an email that you received that isn’t from Dropbox at all, but is from a hacker or other ne’er-do-well who wants you to reveal your Dropbox account credentials unsuspectingly.
In my experience, just about all phishing attacks – which are invariably via formatted email with company logos, etc – have one or more things that aren’t quite right. The challenge is to be suspicious enough to look closely before you click!
One telltale is that it doesn’t come from someone you know and doesn’t reference your name directly, but there are often misspellings and other quirks too. Independent of all of that, however, check the link before you click!
Let’s dig into this particular phishing attempt to see how it works…
Here’s the email I received. Looks pretty legit, right?
But look more closely and you’ll realize it doesn’t reference a sender or know me by name even though I have a Dropbox account. Weird. More weird is that the font isn’t quite right because the entire message body is an image which is not at all how Dropbox sends and formats its email.
The biggest tell is from moving the cursor over the “View document here” button: My email program shows the destination URL as a pop-up window:
That’s not dropbox.com so it’s immediately highly suspicious. And .cx? That’s Christmas Island (no kidding!), which is most assuredly not where Dropbox would send me to retrieve or view a document if this were a legit email message!
Still, let’s say I’m spacing out and click on the link redirect. Where do I end up? Surprisingly, not at a Dropbox login screen mockup but on a server associated with the domain bprbds.com:
More interestingly, it’s apparently a site hosted at Rackspace, so Rackspace pops up a login prompt:
Update: Rackspace security contacted me and assures me that this particular Web site is not hosted on their service, just spoofing this prompt to make it seem more legit. FYI.
Weird, right? Definitely more than enough clues to say “No way!”, close the window and delete this pesky email. If you’re curious, by the way, BPRBDS.COM appears to be a Malaysian language site offering vehicle financing options:
With the way of these sort of phishing hacks, it’s a sure bet that Dropbox, Rackspace and BPRBDS have no idea that they’re all complicit in this attack. Indeed, it’s up to us Internet users to learn to be skeptical and through that be safe online. So please, be safe out there!
Was that a “Hill Street Blues” reference? I sure hope so! 8^)
Do also keep an eye out when shopping online. If something looks too good to be true, then it most likely is too good to be true.
There are a lot of Chinese imitations of big brands which sell the seemingly legit item at a ridiculous price. They usually make spelling mistakes on the package so do look out for that. The internet is getting more and more hostile by the day man.