Recently we noticed spammers abusing Dropbox, a popular cloud-based, file-hosting and synchronization tool, to spread spam.
Dropbox accounts have a public folder where files can be placed and made publicly available. This function is useful to spammers, as it effectively turns Dropbox into a free hosting site. Spammers have abused URL shortening and free hosting sites for some time. Dropbox also provides a URL shortening service, which spammers have also abused.
Spammers have created several Dropbox accounts, uploading an image and a simple .html file and then using the image to link to a pharmaceutical site.
Following this link takes you to a fairly standard "Canadian Health & Care Mall" site:
We saw over 1,200 unique Dropbox URLs being used in spam over a 48-hour period. We have informed Dropbox, providing them with the full list of URLs.
Since Dropbox is a widely-used service (with smartphone applications) people might view Dropbox URLs as more trustworthy, and therefore more likely to open them.
In fact, Dropbox is being abused by malware authors, as well as spammers. We recently saw a Brazilian Portuguese malware message claiming to contain photos and asking if they can be put onto a popular social networking site. The links in the email point to a Trojan hosted on Dropbox. The link text is crafted to look like image file names similar to what many digital cameras would use:
This abuse is a good reminder that any site which makes user-supplied content publicly available must continue to be vigilant about dealing with abuse. Although Dropbox is a high-profile site, spammers target all sorts of sites, big and small. There are many things that sites do to deal with such abuse, but in some cases this crucial work is often seen as low priority, despite the damage that such abuse can cause. Dropbox however assured us "they care about their user's security and experience above all else."
Symantec.cloud customers are protected from these threats based on advanced link-handling technology.
Leave a reply