Phishing attack via bogus Dropbox Login page The Network: A financial firm headquartered in the Midwest U.S. with several hundred servers and workstations. The Expectation: Workstations are less critical; most critical data is on their servers. The Catch: EventTracker Intrusion Detection inspecting all north/south traffic detects browser traffic from a workstation indicating a phishing attack; a title page says “Dropbox Login Page” but it’s not via https. The absence of monitoring at the workstation level limits visibility. The Find: The workstation user was potentially a victim of an attempt to harvest credentials for Dropbox via a bogus login page. The Fix: Quarantine the workstation and run a deep scan. For maximum safety, re-image the hard drive. Check the local DNS cache for possible poisoning of dropbox.com. If this user has a Dropbox account, they should change their credentials. The Lesson: Workstations are often the weakest link and should be monitored. Attackers establish a beachhead on the least well defended machine in the network and spread laterally from there.