Information security now!
This week, we'll talk about data phishing using the popular file-sharing service Drop-box. Other topics include the risk of data leakage from an unconfigured service, risk management in software security and current scams.
Email credentials being harvested using Dropbox – data breach speeding up
The NCSC-FI has recently received several reports of data breaches of Microsoft 365 user accounts. In particular, criminals are exploiting PDF files shared from Dropbox to harvest email login credentials. In cases reported to the NCSC-FI, attempts have been made to log in to a user account within minutes of entering credentials on a phishing page.
- The data phishing process:
- In some cases, an email is sent to the person being targeted, telling them that they will soon receive a message from Dropbox.
- The person is then sent a phishing email from Dropbox with a link to a PDF file shared on the service. For example, the name of the shared PDF file might be LASKU_INV_PO300125.PDF. The email may come from someone you know.
- The link in the email takes you to the Dropbox page Instead of the promised PDF file, the page distributes a form file asking the person to enter an email username and password to verify their "identity" before opening the PDF file.
- If the person enters their username and password on this form, criminals can gain control of the account and use it to commit fraud and send new phishing messages, for example. Breached accounts have been used to distribute thousands of phishing messages.
- In cases brought to the attention of the NCSC-FI, a message processing rule is added to the hijacked email account, which moves all messages arriving with the word "dropbox" to the RSS Feed folder. The aim is to conceal suspicious activity in the account from the user.
Prevent, report, react
- The NCSC-FI urges all Microsoft 365 customers to warn their staff about phishing.
- Forced implementation of multi-factor authentication is an effective protection against phishing.
- We also recommend that you check internally within your organisation whether you need to have the right to install different applications directly on your Microsoft 365 subscription.
- Where possible, please introduce conditional rules for M365 services. Conditional rules allow you to prevent a data breach, even if your email credentials fall into the hands of a criminal.
If you suspect you have received a phishing message, report it to your organisation's IT support. You can also report the phishing message and its links to the NCSC-FI. The NCSC-FI will investigate the link in the message and take action to take down the malicious site.
More information
Unconfigured Jira Service Management may allow an outsider access to the environment
The NCSC-FI has been informed that a Jira Service Management environment left to default settings may allow an outsider the ability to create local usernames and, for example, bypass a poorly configured SSO. This can give an outsider access to information that is not intended to be publicly available. We recommend that you check and, if necessary, configure your Jira Service Desk environment without delay.
Jira Service Desk, which is open to the public network, allows by default the creation of a local user account for an outsider. Depending on the environment, after creating a new username, an external party may have the ability to do at least the following:
- Access internal data and company personnel data
- Access forms that can be used to, for example
- Order new usernames
- Order a password reset
- Request changes to SAP master data
- Order new servers
- Order firewall changes
- Order changes to access rights
Exploitation of this feature may also expose you to various phishing campaigns that exploit information obtained from Jira.
We recommend that organisations limit the creation of new accounts and the visibility of Jira on the internet. It is a good idea to check and remove any surplus user accounts from the default configuration environment.
Risk management key to software security
Software vulnerabilities are a favourite target for cybercriminals, and non-updated components, for example, can leave a system vulnerable to attack. Secure software development is not just a technical requirement. It ensures business continuity and customer confidence.
Software risk management means identifying, assessing and managing risks throughout the software life-cycle. The upcoming EU Cyber Resilience Act (CRA) will tighten requirements and oblige companies to take information security into account at an early stage of development.
However, risk management is not only a regulatory obligation but also a competitive advantage. Proactive risk management helps to identify software development and procurement risks early, reducing repair costs and security threats.
Risks vary at different stages of the software life-cycle. During the development phase, it is important to set clear security requirements, ensure the reliability of third-party components during procurement, and manage upgrades and obsolescent technologies during operation to keep the software secure and up and running.
Recently reported scams
In this summary, we provide information about scams reported to the NCSC-FI during the past week.
WHAT TO DO IF YOU GET SCAMMED
- Immediately contact your bank if you have made a payment based on a scam or a criminal has gained access to your online banking service or payment card information.
- File a police report. You can file a police report online.
- You can also report the incident to the NCSC-FI. (External link)
- Guidance for victims of a data leak (External link)
Learn how to detect and protect yourself against online scams
ABOUT THE WEEKLY REVIEW
This is the weekly review of the National Cyber Security Centre Finland (reporting period 31 January–6 February 2025). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cybersecurity specialists to regular citizens.