On October 14, 2022, the well-known file hosting platform Dropbox fell victim to a phishing attack. A threat actor created a lookalike CircleCI website, which is the integration and delivery platform that Dropbox uses. They then sent an email instructing Dropbox employees to sign in with their GitHub login credentials plus a one-time password via multi-factor authentication (MFA) on the faked website.
A number of the threat actor’s emails were quarantined. But some slipped through and got delivered to Dropbox employees’ inboxes. And eventually someone took the bait. The meant the threat actor successfully harvested authentication credentials. These credentials were used to access GitHub, where 130 code repositories was accessed. In those breached repositories was mainly API data, but a few thousand names and email addresses of Dropbox employees, current and past customers, sales leads as well as vendors would be possible to extract.
This forced Dropbox to extensively investigate the breach. It was concluded they needed to more quickly adopt the WebAuthn standard, which uses hardware tokens and biometric factors for authentication. Those forms of authentication are more phishing resistant since they require that specific user or that specific piece of hardware.
A Month Without Resolving the Threat
The CircleCI phishing campaign started almost a month earlier, on September 16. GitHub then learned that a threat actor had impersonated CircleCI in order to harvest GitHub credentials. GitHub was not directly impacted, but the organisations using CircleCI were at risk. Upon signing into the fake CircleCI page, the user was prompted to provide a MFA code. The time-based one-time passwords (TOTP) would then immediately be copied from the fake page by the threat actor and used to access the user’s GitHub. TOTP is a common MFA method to better secure authentication. But TOTP authentication is not risk-free, as exemplified with the attack on Dropbox and CircleCI.
The attack was successful in part because how similar the fake CircleCI website looked compared to the real one. GitHub lists that, as of September 27, identified scam domains included:
For comparison, the real CircleCI domain is just circleci[.]com.
The Challenge of Parrying Cyber Attacks
From the above, it can be concluded that this CircleCI phishing attack shares the very stereotypical tells of phishing, with similar-but-not-the-same domains and looks. However, it’s crucial to keep in mind that the almost-same websites only need a single successful attempted login for that whole account(’s accessed data) to be compromised.
The discussion with phishing can focus on technical security measures. Those include which authentication methods that are safe, how to implement better security standards that simultaneously enable productivity, and how to ensure limited access in case of a breach. But the less technical aspect which ties all those points together is security awareness. A security awareness approach means that everybody at any given organisation should know about the basic security practices and risks. What that in turn entails depends on the user’s role and their access, and the consequences if their account were to be breached. What matters, though, is that security awareness exists at an organisation’s every level.
Making Security Awareness a Priority
One way to implement a security awareness initiative is to carry out cyber attack trainings. In fact, they should take place at every organisation – it’s the very reason phishing attack simulators (such as the one from Microsoft) were even created. Repeated trainings and workshops should be held, detailing best practices, sharing relevant news and turning security into a subject that is talked about and that is on people’s minds. It’s absolutely vital to do what can be done to not lose vigilance. Especially since consciously or subconsciously disregarding tiny signs, which may be the only difference between fake and real, could mean the difference between breach or no breach.
A high level of security awareness is not a one time achievement – it is a never-ending challenge. It is, however, not a Sisyphean task and it shouldn’t be mistaken as one. Because as we’ve seen, all it takes is one successful breach to seriously jeopardise an organisation’s data, integrity and brand.