Your Password Has Been Stolen

As knowledge of scams plays a significant role in avoiding becoming a victim, I thought I would show you how these crooks go about stealing your credentials via a phishing scam. This is actually very similar to how John Podesta got his emails stolen during the 2016 Presidential Election.

Step 1 — The Phish

Phishing starts with an email that arrives in your inbox or on your mobile phone. It will appear from a service you use and even be an email you are expecting: a PDF scan from your Canon or Xerox copier; a tracking notification from FedEx, UPS or USPS; or email from a coworker or friend.

This particular phishing email is from Dropbox and tries to appear to be from someone sending “an important document” regarding some vague industry summit.

Red Flag #1 — The sender is “Dropbox!” with an exclamation point which is weird. But the sender’s email address is definitely not a Dropbox address.

Red Flag #2 — If you mouse-over the “your file here” link (i.e., move your mouse over the text without clicking), it will show you the destination URL (i.e., Internet address), in a pop-up box or on the bottom of the window as in this case. It shows the URL to be http://bit.ly/2ooXfeV. Phishing scammers use legitimate URL shorteners like bit.ly to obscure the true destination. That is, they don’t want you to know that the link takes you to bad destination.

Red Flag #3 — The text in the email body may fool you if you read it quickly but if you slow down to read it carefully, the text is butchered English with improper capitalization and missing punctuation such as periods and commas. See, your English teacher always told you that grammar is important!

At this point, you can be confident that this is a phishing email and you should delete it. But I want to show you what to expect in case you miss the red flags and click the link.

Step 2 — Clicking the Link

If you click on the “Your File Here” link, you will be taken to a webpage which is hosted on some victim’s hijacked website. In this case, it is “domanatoos.club”, as you can see in the address bar. The most likely scenario is that the website owner didn’t have a good enough admin password for managing his domain or failed to install security patches and updates on his website like you need to do for your personal computer. As a result, his website is now being used to host phishing scams.

As you can gather, the URL, domanatoos.club, has nothing to do Dropbox. And if you mouse-over any of the links for the listed email providers, they all point to the same URL at the domanatoos.club domain.

The scammer is asking you to select your email provider so you can login and view the shared document. I guess he wants you to ignore the fact that you are supposed to downloading a file from Dropbox. It makes zero sense to login to Office 365 to view a Dropbox document, which should raise your suspicion if you’ve made it this far into the scam. But let’s play along.

Step 3 — Stealing Your Password

If you click on the link of your email provider, you will be presented with a fake login box for your selected email provider.

This is where they steal your email address and password for your mail provider. No matter how strong your password, the scammer now has it. And if you use the same password for other accounts such as social media or your banking, the scammer now has access to those other accounts and you can guarantee that he will try to gain access to those as well.

The scammer’s software will use your stolen credentials to log into your email account and send a phishing scam to people in your address book. We have also seen incidents where the address book and sent items of the victim have been deleted.

Awareness is the Key to Security

If you made it this far, I want to congratulate you for taking the time to educate yourself about these kinds of phishing scams. Because the only true way to protect yourself is by being aware of their existence, be suspicious of every email you receive and be able to identify the tell-tale signs of a scam.


Originally published at www.axicom.net on April 14, 2017.