Arlington, VA (August 26, 2015) – Better Business Bureau shut down a fraudulent website this week after the site sent a phishing email that looked like it was from the FBI with a document stored in Dropbox, but was really malware. BBB is alerting users of file sharing sites to be cautious when accepting files, even if the email appears to be from someone they know.
The Council of Better Business Bureaus contracts with Corporate Services Company (CSC) for take-down services when scam websites mimic BBB, use its intellectual property, or attempt to enter its systems. CBBB has instigated take downs of nearly 200 fraudulent websites since November 2011 when the BBB name and logo was first used in a phishing scam.
“Criminal hackers are exploiting consumer trust in popular file sharing services,” says Bill Fanelli, CBBB chief security officer. “The emails look authentic, and they appear to be from someone the user knows. But the link goes to a fraudulent site that tricks the user into entering their login credentials, then installs malware on their computers, and sends phishing emails to everyone on their contact list.”
According to Fanelli, the basic attack is simple: you receive an email from someone you know with a link to a file that says it is from a file sharing site such as Dropbox, Google Drive or OneDrive. If you click the link, there are two typical scenarios.
In one version of the attack, a file containing malware is downloaded. Malware typically succeeds by exploiting a weakness in a software program (browser, document reader) or the operating system. A more advanced version sends the user to a page that resembles a popular cloud-based file sharing service, and requests the account name and password for the user. Once those are entered, they can be used to log in to the user’s real account at that service. In addition, because most people use the same password for multiple accounts, hackers may now be able to access bank, credit card, and other financial accounts.
In both scenarios, one of the actions taken by the hacker is to access the user’s contact list and send similar emails to everyone on it, which is how the scam is spread.
“If you’ve been the victim of this latest scam that pretends to send a Dropbox file, there are several things you need to do,” advises Fanelli. “You will need to change your password AND unlink any connection a hacker has already made to your account. Just changing the password does not automatically disconnect all other devices. Instructions are in the Dropbox Help Center.”
As with any update, business users should check with their system administrator before installing any updates on their computer.
BBB Tips to Avoid File Sharing Scams
BBB offers the following advice to help prevent file sharing malware attacks:
To learn more about scams, visit BBB Scam Stopper at bbb.org/scam. Sign up for weekly Scam Alerts to find out about scams when we do.
ABOUT BBB: For more than 100 years, Better Business Bureau has been helping people find businesses, brands and charities they can trust. In 2014, people turned to BBB more than 165 million times for BBB Business Reviews on more than 4.7 million businesses and Charity Reports on 11,000 charities, all available for free at bbb.org. The Council of Better Business Bureaus is the umbrella organization for 113 local, independent BBBs in the United States, Canada and Mexico, as well as home to its national programs on dispute resolution, advertising review, and industry self-regulation.