Phishing attack via bogus Dropbox Login page

The Network: A financial firm headquartered in the Midwest U.S. with several hundred servers and workstations.

The Expectation: Workstations are less critical; most critical data is on their servers.

The Catch: EventTracker Intrusion Detection inspecting all north/south traffic detects browser traffic from a workstation indicating a phishing attack. The Netsurion SOC analyst identified a a title page that said “Dropbox Login Page” but it’s not via https. The absence of endpoint monitoring at the workstation level limits visibility and potentially exposes the financial organization.

The Find: The workstation user was potentially a victim of an attempt to harvest credentials for Dropbox via a bogus login page.

The Fix: Quarantine the workstation and run a deep scan. For maximum safety, re-image the hard drive. Check the local DNS cache for possible poisoning of Dropbox.com. If this user has a Dropbox account, s/he should immediately change login credentials.

The Lesson: Workstation endpoints like laptops and tablets are often the weakest link and should be monitored 24/7/365 by Netsurion’s SOC experts and EventTracker Endpoint Security. Attackers establish a beachhead on the least well defended machine in the network and spread laterally from there.