A new Dropbox phishing scam has resulted in an anonymous individual copying 130 of its private GitHub code repositories and stealing some of its secret API credentials.
What happened?
The dropbox phishing incident first appeared on October 13 when Microsoft's GitHub detected doubtful behavior on the company’s corporate account and reported it the very next day.
- The company’s cloud storage section was investigated and researchers noted that a dropbox phishing scam had indeed taken place. The phisher had impersonated the code integration and delivery platform CircleCI.
- The company while giving details reinforced that its customers are at minimal risk and confirmed that no one's content, passwords, or payment information were accessed. In addition, no code for core apps or infrastructure was accessed.
How hackers leveraged CircleCI?
- Some internal deployments at Dropbox are performed using CircleCI. In addition to Dropbox's private code repositories, its employees can access CircleCI with their GitHub accounts.
- By pretending to be CircleCI, the phisher targeted a Dropbox engineer's GitHub login details. If the phisher had accessed Dropbox's GitHub organization, he could have copied its private repositories.
The cause behind the breach
Just three weeks before the dropbox phishing attack, GitHub raised flags with respect to campaigns that involved the CircleCI impersonation.
- Dropbox appears to have missed the memo and its bods fell for emails that masqueraded as legit CircleCI messages.
- The emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass an OTP to the malicious site.
- The site harvested the entered login details for the attackers to use the info and log into a victim's GitHub account, and breach the work repos.
This tactic successfully gave the threat actor access to one of the GitHub organizations and copied 130 code repositories. The security team is not overly concerned about Dropbox phishing, since the repos have copies of third-party libraries adapted for its use.
More details
On October 14, Dropbox revoked the phisher's access to the GitHub repository silo.
The cloud storage firm has rotated all developer API credentials that were available to the intruder since then.
Dropbox hired external investigators after the Dropbox phishing scam was exposed. The copied code has not yet been abused.
Closing lines
Currently, the company uses two-factor authentication, but will soon use hardware tokens or biometric factors in its entire environment. Due to the Dropbox phishing attack, this effort has been accelerated.