Today we’ve got something new for Dropbox users to watch out for: a new spam campaign spreading the Zeus Trojan. The domain caught our eyes Oct 18th, when it triggered one of our data-driven predictive engines that monitors spikes in traffic. Notice how the volume of queries to the site surged from zero to several hundreds in a matter of minutes.  


Screen Shot 2013-10-21 at 10.21.59 AM

The domain bears a resemblance to our long-time friend @ConradLongmore’s site,, he confirmed that is not associated with him.

dynamooblog-tweets (1)


Later that day, Conrad confirmed that the site is associated with a Dropbox spam campaign that leads to Zeus trojan infections. Conrad recently exposed a Pinterest spam campaign, so it is actually rather sweet that the spam operators referenced his blog with the domain used in this Dropbox campaign.  


We performed a quick analysis on the involved network entities, which led to other domains of interest, and, we can show them here in a nice  graph for our readers to enjoy. Three other domains are using the same fastflux network—consider them part of the same gang. 

 Screen Shot 2013-10-21 at 2.36.36 PM


These domains and associated domains were blocked for OpenDNS customers since the phish/malware campaign first broke out on Oct 18th, so our users can rest assured that they are safe.


This post is categorized in: