ALERT! Very Active PHISHING CAMPAIGN still alive targetting Dropbox Users

By | August 21, 2016

I received the link via e-mail but also found it online through some redirects and a dropbox typeo domain name.

The images and page look spot on ….but if you look at the URI like you should you’ll notice right away we got some problems here!

http://glabalinvestment.tk/cost/DROP1/casts/

dropbox_phishing

 

The campaign is stealing your Gmail, Yahoo, MSN, AOL or other e-mail account AS well as your dropbox account – once your e-mail is compromised attackers don’t have much trouble taking over the rest of your accounts with that infamous “reset your password” or “I forgot my password” button.

 

So…let’s play this out – i’ll input some information and we can see what happens.

 

2016-08-21 08:51:27.817436 IP 192.168.1.100.33910 > 94.102.50.50.80: Flags [P.], seq 1:324, ack 1, win 229, options [nop,nop,TS val 32169711 ecr 2715205929], length 323: HTTP: GET /cost/DROP1/casts/ HTTP/1.1
E..w.;@.@……d^f22.v.Pgj$.<>.}….T……
…….)GET /cost/DROP1/casts/ HTTP/1.1
Host: glabalinvestment.tk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2016-08-21 08:51:28.123701 IP 192.168.1.100.33910 > 94.102.50.50.80: Flags [.], ack 14778, win 463, options [nop,nop,TS val 32169788 ecr 2715206245], length 0
E..4.G@.@……d^f22.v.Pgj&/<>.6….R……
…<…e
2016-08-21 08:51:28.137743 IP 94.102.50.50.80 > 192.168.1.100.33910: Flags [P.], seq 14778:16226, ack 324, win 122, options [nop,nop,TS val 2715206260 ecr 32169762], length 1448: HTTP
E ..E.@.3..l^f22…d.P.v<>.6gj&/…z…….
…t…”‘), local(‘OpenSans-Light’), url(dropbox_files/DXI1ORHCpsQm3Vp6mXoaTXhCUOGz7vYGh680lGh-uXM.woff) format(‘woff’);
}
@font-face {
font-family: ‘Open Sans’;
font-style: normal;
font-weight: 400;
src: local(‘Open Sans’), local(‘OpenSans’), url(dropbox_files/cJZKeOuBrn4kERxqtaUH3T8E0i7KZn-EPnyo3HZu7kw.woff) format(‘woff’);

 

—– Now I’ll POST my credentials:

 

016-08-21 08:55:37.958321 IP 192.168.1.100.33922 > 94.102.50.50.80: Flags [P.], seq 1:532, ack 1, win 229, options [nop,nop,TS val 32232246 ecr 2715456053], length 531: HTTP: POST /cost/DROP1/casts/ HTTP/1.1
E..G./@.@.C….d^f22…P..q;.hbf….T……
…6…5POST /cost/DROP1/casts/ HTTP/1.1
Host: glabalinvestment.tk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://glabalinvestment.tk/cost/DROP1/casts/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 83

hidCflag=&Email=blah12311%40gmail.com&Passwd=yourgoingdown&signIn=Sign+in&rmShown=1
2016-08-21 08:55:38.088463 IP 94.102.50.50.80 > 192.168.1.100.33922: Flags [.], ack 532, win 122, options [nop,nop,TS val 2715456199 ecr 32232246], length 0
E .4..@.3..^^f22…d.P…hbf..sN…z.X…..
…….6
2016-08-21 08:55:38.167398 IP 94.102.50.50.80 > 192.168.1.100.33922: Flags [P.], seq 1:298, ack 532, win 122, options [nop,nop,TS val 2715456282 ecr 32232246], length 297: HTTP: HTTP/1.1 200 OK
E .]..@.3..4^f22…d.P…hbf..sN…z!]…..
…….6HTTP/1.1 200 OK
Date: Sun, 21 Aug 2016 12:54:56 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.6.22
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

3

 

2016-08-21 08:55:38.365148 IP 94.102.50.50.80 > 192.168.1.100.33922: Flags [P.], seq 298:401, ack 532, win 122, options [nop,nop,TS val 2715456485 ecr 32232298], length 103: HTTP
E ….@.3…^f22…d.P…hc…sN…z…….
…….j61

<script type=”text/javascript”>
<!–
window.location=”verification.php”

</script>

 

UHHHHHHHHHHH – WHAT??? SITE IS PRETENDING TO GOOGLE VERIFY ME!

 

2016-08-21 08:55:38.372853 IP 192.168.1.100.33922 > 94.102.50.50.80: Flags [P.], seq 532:926, ack 406, win 237, options [nop,nop,TS val 32232350 ecr 2715456485], length 394: HTTP: GET /cost/DROP1/casts/verification.php HTTP/1.1
E….3@.@.Db…d^f22…P..sN.hc…..TU…..
……..GET /cost/DROP1/casts/verification.php HTTP/1.1
Host: glabalinvestment.tk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://glabalinvestment.tk/cost/DROP1/casts/
Connection: keep-alive

 

Selection_006

 

2016-08-21 09:00:13.756038 IP 192.168.1.100.33930 > 94.102.50.50.80: Flags [P.], seq 1:554, ack 1, win 229, options [nop,nop,TS val 32301196 ecr 2715731847], length 553: HTTP: POST /cost/DROP1/casts/verification.php HTTP/1.1
E..]..@.@……d^f22…PJ…1.a)….T……
……..POST /cost/DROP1/casts/verification.php HTTP/1.1
Host: glabalinvestment.tk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://glabalinvestment.tk/cost/DROP1/casts/verification.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

challengetype=PhoneVerificationChallenge&phoneNumber=4438481234&recEmail=

2016-08-21 09:00:14.208222 IP 94.102.50.50.80 > 192.168.1.100.33930: Flags [P.], seq 298:404, ack 554, win 122, options [nop,nop,TS val 2715732299 ecr 32301248], length 106: HTTP
E ….@.2.N.^f22…d.P..1.bRJ……z1……
…K….64

<script type=”text/javascript”>
<!–
window.location=”https://dropbox.com”;

</script>

 

Selection_007

 

 

This is a good example of slight of hand, if you had been watching a movie or barely paying attention you may have input your credentials into the phishing site, been reaffirmed when you saw what looked like the standard Google verification screen prompt and after you put in any phone number or e-mail (it doesn’t check obviously) you are redirected to the place you thought you went to all along which is the real dropbox.com.

 

Ironically enough, the phishing site has a blind SQLi vulnerability, we were not able to grab a shell but we did get a good count of how many victims they have already hit thus far looking at the auto-incrementing primary key ID value which was as high as 11,200.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *