Cyber Security Alert: Dropbox phishing campaign continuing to target Australian healthcare entities

Cyber Security Alert: Dropbox phishing campaign continuing to target Australian healthcare entities

18 April, 2024

Stay alert - Dropbox phishing campaign continuing to target Australian healthcare entities

About this alert

  • The Australian Digital Health Agency continues to observe an ongoing campaign of phishing emails being sent to Australian healthcare organisations.
  • The following alert is to inform you to be aware of this email and provide you with tips on how to identify and appropriately respond to scams.

About this scam

  • The emails in circulation have the subject ‘Dropbox’ or ‘Dropbox Shared’.
  • The email claims recipients have ‘important documents’ to review via Dropbox and attempts to trick an individual into sharing their username and password to access the non-existent documents.
  • These emails are being sent from a variety of users. Many are official email accounts of healthcare entities which have been compromised by cybercriminals and used to conduct phishing attacks. This type of scam is known as Business Email Compromise (BEC).
  • The phishing emails come in a set of two.
  • The first email is sent from a compromised email account, possibly an account that belongs to an existing and trusted contact, stating that they will send a file through Dropbox.

Email 1 sample:

The second email from Dropbox is sent shortly after and links to a PDF file. The PDF file contains a link to a malicious webpage, which prompts the individual to enter their credentials to view the file.

Email 2 sample:

How could this impact my organisation?

  • If an email account is successfully compromised by the campaign, it will be taken over and used to send further malicious emails to other email addresses as well as contacts known to the account. Additionally, the attackers may steal any emails within the compromised inbox, potentially leading to sensitive personal health or financial data being compromised.
  • The account access may be sold to other threat actors and used to gain access to your network to allow them to deploy malware, steal data, or encrypt your systems with ransomware.

What do I need to do?

  • Inform your staff of the ongoing phishing campaign.
  • Advise staff to be extremely wary of unsolicited emails asking them to login to view files.
  • If you believe your organisation may have been compromised by the campaign:
    • Ensure all email and user account passwords are reset.
    • Ensure multifactor authentication is enabled for email accounts.
    • Check for logins to accounts from unknown locations and overseas IP addresses.
    • Check email accounts for unknown mail rules (such as automatic email forwarding to unknown email addresses).
  • If you receive an email and are doubting its validity, contact the organisation directly. Visit the official website to find their phone number. Never use details or links provided in the suspicious email.
  • If your organisation has been affected and your organisation has access to the My Health Record system, please email for support.

Where can I get more information?