The email includes a sad-faced-computer-thinking-about-Dropbox cartoon graphic, and a 'Reset Password' button. But of course, clicking the reset button does not instigate a password reset, but instead leads the user to an internet page that claims the user's browser is out of date.
"We detected your browser is NOT up-to-date" it says, inviting the user to select which browser out of Chrome, Internet Explorer or Firefox should be updated. However, warns AppRiver in a blog posting, "Clicking anything in the linked notification page downloads a file ieupdate.exe. The file is a Trojan that is part of the Zeus family."
AppRiver notes that all of the links in the email messages came from 54 unique domains, but the malware itself is downloaded from the newly registered dynamooblog.ru. This would appear to be a joke, because blog.dynamoo.com is a genuine security blog that has been writing about the suspected attackers known as RU:8080.
Last week Conrad Longmore at Dynamoo wrote "fake Pinterest spam leads to a malicious download on alenikaofsa [dot] ru:8080 [/] ieupdate [dot] exe" (notice the same malicious file), and asked, is this "the return of the RU:8080 gang?"
Two days later, on Friday last week, he found new Dropbox scam emails similar but not identical to the one found by AppRiver. "We have a warning in our system," it claims, "that you recently tried to login to Dropbox with a password that you haven't changed long time already. Your old password has expired and you'll need to create a new one to log in."
"Well it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog.ru." He adds, "The domain dynamooblog [dot] ru was registered yesterday to the infamous Russian 'Private Person' and is hosted on a lot of IPs that have been serving up Zbot for some time."
Despite the difference in the emails, the intent is the same – to install a Zeus derivative via dynamooblog [dot] ru. One encouraging detail is that when Longmore tested the malware against VirusTotal in his first blog post (Wednesday), only one out of 48 anti-virus engines detected it as malware (Kaspersky). When he tested it again on Friday, 29 engines detected it, demonstrating how quickly the anti-virus industry reacts when it comes across new malware.
Nevertheless, users should remain very careful if they receive any password reset email – and especially if the password is for Dropbox.