Skip to main content

Nasty little Dropbox phishing spam

This morning I received an interesting message from someone I haven't heard from in a while through email. The subject line was "FIND PDF COPY" (in all caps). Inside the body of the message, embedded within the normal garbage footer attached by their email client, was this:

Joshua Wieder dropbox spam phishing embedded image

I may very well have gotten suckered into this one if it weren't for the all caps subject line. The person who ostensibly sent me this message is, somewhat ironically, the type of person to include all caps text in their email - but there was something a little too weird about the grammatical solipsism intrinsic to the phrase "FIND PDF COPY" even for this supposed sender.

So I took the two seconds out of my day to hover my mouse over the link and, what would you know, dropbox was not the target at all. The link forwarded to "goto-saketen.com" instead.

Just to be sure I took a look at the headers of the message. This did in fact come from the sender it claimed to, although I'm quite certain he had no idea his computer is sending these messages. I was a bit relieved; this sender is one of my contacts, so at least I knew that *his* email account was screwed, and not mine (by for example someone enumerating my contacts and sending messages to me with forged From: fields). And it does look like its just the guy's email account; the headers originated from Yahoo's email servers.

Whoever at Yahoo decided to add a custom header called the Newman ID deserves a raise btw. Newman, of course, was the mailman on Seinfeld. Get it?

Joshua Wieder - Newman
Neeeeeewwwman. ID.
Anyway, I won't drag this out very long because there's not much interesting here. Its just phishing, no malware. Plain, silly phishing. You get to a sign-on page that will never allow you to login:

function validation(){

        if(!document.docContainer.username.value.match(/^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/) || document.docContainer.password.value.lengt
h < 4){ $('#usernameError').fadeIn(50); $('#passwordError').fadeIn(50); return false;}



        if(!document.docContainer.username.value.match(/^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/)){ $('#usernameError').fadeIn(50);  return fal
se;}



        if(document.docContainer.password.value.length < 4){ $('#passwordError').fadeIn(50);  return false;}


        return true;

}


"goto-saketen.com" is, as you might have guessed, a website that sells sake (you can check out some of their booze on their Twitter account). I suspect they are just patsies. Their domain is registered from an hosted in Japan, and their website is entirely in Japanese, which sounds like NBD except snowshoe spam domains almost never meet the basic requirement of being where they say they should be.

Keep an eye out for Dropbox notifications over the next few weeks so you don't get burned.