On October 13, 2014 SecurityScorecard threat intelligence monitoring sensors detected a significant rise in leaked password chatter originating from Pastebin.com, as shown in Figure 1.1. Unidentified individuals made several postings on the website claiming to be in possession of over 7 million breached Dropbox accounts, and released a sample set of 400 to the public. The author of the posting requested donations in the form of Bitcoin with the promise to release more data. DropBox denied the breach was from their servers
, and claimed that a third party had been breached. The Reddit community also examined the breach data at length in a thread
SecurityScorecard analysis of the leaked data shows no presence of special characters or mixed capitalization within the passwords, indicating that the passwords were most likely cracked with a simple dictionary file as opposed to having been stored in cleartext.
Furthermore, taking into account Dropbox's official statement denying a breach of their servers, it appears that these passwords did most likely originate from a combination of different breach sources and hackers were simply running them through DropBox "checkers" looking for valid accounts. In the hacking underground, a "checker" is a script that checks long lists of e-mail:password combinations against a variety of websites looking for users that reuse their credentials.
A statement issued by DropBox underscores the importance of not reusing passwords and making use of 2-factor authentication where available.
Fig 1.1 - Rise in leaked password chatter from SecurityScorecard.com
What is quite interesting about this fake breach announcement is that malicious actors are also attempting to monetize hysteria in order to extract Bitcoin and other items of digital value from people who are seeking more information about the incident.
Analysis of the Bitcoin address provided in the initial first few postings shows that the author was able to extract at least 3 different transactions to obtain a total donation of 0.0032 BTC as shown in Figure 1.2 (approximately $1 USD at time of writing). The Bitcoin address is 1Fw7QqUgzbns7yWHH32UnmMxmMMwu6MC6h.
Fig 1.2 - Blockchain data for 1Fw7QqUgzbns7yWHH32UnmMxmMMwu6MC6h
Shortly after the first three teaser postings were made, additional posts appeared from other individuals making use of different Bitcoin addresses and spam links. This is presumably different malicious actors who are simply using copycat methodologies and the hype surrounding the breach to attempt to divert traffic and funds into their pockets. The followup fake teaser postings contained different Bitcoin addresses that had received no transactions, as well as links to adult oriented affiliate network websites where it encouraged users to sign up in exchange for breached data.
Since Bitcoin blockchain information is public, it is easy to determine the success of the campaign. However, analysts have no visibility into the affiliate statistics of the rippers to gauge the successful sign ups. If the original earnings of $1 for the mastermind of this campaign is any indication, the copycats have most likely seen $0.
In this case it seems the old adage is true, crime just does not pay.
http://pastebin.com/NtgwpfVm - DROPBOX HACKED First Teaser
http://pastebin.com/1AZQ7McK - DROPBOX HACKED Second Teaser
http://pastebin.com/aRgTJzzg - DROPBOX hack Third Teaser
http://pastebin.com/2z8tPqnA - DROPBOX HACKED Fourth Teaser - AdFly PPC link
http://pastebin.com/CsN3SrGA - DROPBOX HACKED Fifth Teaser - removed by pastebin
http://pastebin.com/jHEjBLrQ - DROPBOX HACKED Sixth Teaser - New BTC address used
http://pastebin.com/Xu9PFnLv - DROPBOX HACKED Seventh Teaser - Links to XXX spam