Phishing attack via bogus Login page

The Network: A financial firm headquartered in the Midwest U.S. with several hundred servers and workstations.

The Expectation: An organization’s attack surface, from endpoint to server to cloud infrastructure is protected and monitored 24/7/365.

The Catch: Netsurion inspects all north/south traffic and detects browser traffic from a workstation indicating a phishing attack. The Netsurion SOC analyst identified a title page that said “Dropbox Login Page” but it’s not via https. The absence of endpoint device monitoring at the workstation level limits visibility and potentially exposes the financial organization.

The Find: The workstation user was potentially a victim of credential compromise and an attempt to harvest Dropbox logins via a bogus login page. The next step in the attack chain would likely have been to exfiltrate sensitive stored data and use double extortion ransomware for monetary gain.

The Fix: Quarantine the endpoint device and run a thorough scan. For maximum safety, re-image the hard drive. Check the local DNS cache for possible poisoning of Dropbox.com. If this user has a Dropbox account, s/he should immediately change login credentials.

The Lesson: Workstation endpoints like laptops and tablets are often the weakest link and should be monitored 24/7/365 by Netsurion’s SOC experts and Netsurion Managed Endpoint Security. Attackers establish a beachhead on the least well defended machine in the network and spread laterally from there. Phishing is an attack vector that is used in over 60% of ransomware attacks..