Links to adult dating sites have reached thousands of Dropbox users, thanks to scam emails originating from a company email address.
The scam is primarily a marketing technique, designed by spammers to earn money from an affiliate scheme which gives them financial reward for sending new users to the sites. They create fake accounts to share content with registered users, which results in an apparently legitimate email being sent from a email@example.com email address. The spammers have found a way to hide messages within these emails, directing recipients towards the dating sites.
The emails have slipped through spam filters as they originate from an @dropbox.com address, even though the messages themselves contain links that would usually raise alarm bells if they were coming from an unknown source.
This isn’t the first time that Dropbox has been targeted in the past year, with phishing scams in August 2015 hitting users with emails that perfectly imitated the format and style of regular company messages.
The most recent attack also targeted Google+ customers, and was picked up by security company Symantec in December, who have since advised both companies on how best to proceed, although it is suspected that the scheme is still continuing.
In a statement following the discovery, Dropbox said:
“Preventing abuse and protecting our users from online scammers and spam is a top priority. […] Dropbox is actively investigating and implementing countermeasures to mitigate this type of activity, including shutting down spam-generating accounts.”
So how bad is it if you’ve been targeted?
The good news in this story is that Dropbox and Google+ users that have received the emails haven’t had their data stolen or been affected by any malware. However, the success of this campaign certainly raises questions for these major companies, as the ease with which these spammers compromised their security suggests that more attacks might be coming their way.