Spam Alert - Email Spoofing with Dropbox Link to Cryptolocker Virus

This month we've seen a big surge in spam email with dropbox links to a file infected with the dangerous Cryptolocker / Cryptowall viruses. In some cases, email spoofing is used to make it look like the sender is another user in your email domain. As always, DO NOT CLICK THE LINK OR DOWNLOAD THE FILE.

How Dropbox Link / Cryptolocker Spam Works

You receive an email with a subject line that sounds urgent. With this campaign, a popular subject is "FW: ACH Notification", to make you think the email is about a payroll deposit, vendor payment, etc.

The body of the email tells you that a document, such as a "summary of Origination activity" is waiting for you to download and includes a link to a Dropbox file.

DO NOT CLICK THE LINK. The link in the spoofed email we've been seeing is to a file infected with the dangerous Cryptolocker or Cryptowall virus.

Cryptolocker Email Spoofing Spam

Spoofed email has a link to a Dropbox file infected with the Cryptolocker virus.

Email Spoofing Makes it More Dangerous

This campaign includes spoofed emails to trick people into thinking the link is safe to click. In email spoofing, the sender disguises his/her actual email address. It's actually very simple to do.

Here, the email looks like it came from someone else in your email domain. So, if you work for Example, Inc. and your email is, the From address might look something like "". You think the email is safe, so you click the Dropbox document and run it. Bad move.

As always, use caution with any message that you weren't expecting, or that seems out of place. One of our threat analysts, Bryce, warns that "even though services like Dropbox, Google Docs, etc. may be legitimate and useful, any kind of service providing a free account can be used for malicious purposes. It is ridiculously easy to spoof a sending address and fool the recipient into thinking the email is coming from a friend."

How We Block This Spam

This type of spam is difficult for some spam filters to identify and block. Typical antispam programs rely heavily on "IP filtering" (the address of the computer that sent the spam email). But it's easy and cheap for spammers to change the sending server, so they do it a lot. Many spam filters can't keep up, leaving their customers vulnerable.

Our 24/7/365 live threat analysts were able to identify this campaign and block it with our unique phrase filtering. As they learned more about it, like where it was coming from and the URLs of the Dropboxes, they were able to block the campaign in a variety of ways.

Because we employ multiple types of filters and have 24/7/365 live threat analysts, we are able to respond quickly and filter out nearly all of this dangerous spam.

Exceptional Anti-Spam and Secure Cloud Email for Business

If you're seeing a lot of spam or too many legitimate emails are being sent to your junk folder, you're wasting time and money every day dealing with this pervasive and dangerous issue.

SpamStopsHere was designed for business. Our live spam review team analyzes and blocks threats 24/7/365, so we can filter out 99.5% of spam and still deliver 99.999% of legitimate email to our customers. It's cloud based, secure and easy to use. There's no additional hardware or software to buy, no maintenance, and no tuning required. Get more info here.

SpamStopsHere and our other secure Cloud email services (hosting, encryption and archiving) also come with 24/7/365 live support.

If a conversation about secure email makes sense for your business, give us a call, chat or email anytime. We're always here. 24/7/365. | 800-458-3348 | 734-426-7500 |

"Twitter" and "Tweet" are marks of Twitter, Inc. This article is for informational purposes and is not meant to suggest sponsorship or endorsement by Twitter, Inc.