This week we have seen a spike in fake DocuSign requests which are being used for phishing or malware distribution. DocuSign is a service used many businesses to facilitate electronic signature of documents without the need to fax or mail physical copies. However, like any popular and convenient service, DocuSign emails are being faked by spammers intent on phishing credentials or worse. The current attack starts with an email.
The results of clicking on the link will vary depending on what sort of computer you are using. From a Mac you get to a generic email phishing page that looks like this.
From a Windows machine, the link will download a malicious Word document. The Virustotal analysis of this file is here. At the time of writing twenty-seven antivirus packages are flagging this file as malware, but yesterday only eight were. The Word document contains the Hancintor downloader, which downloads other malware packages. These appear to be aimed at collecting passwords and other sensitive information, as well as allowing for further malware installation. There are more technical details of the attack and the command and control structure at https://techhelplist.com/spam-list/1139-2017-05-09-completed-domain-wire-transfer-instructions-for-username-document-ready-for-signature-malware
DocuSign is mostly used by businesses, so this attack seems to be aimed at infiltrating enterprises rather than compromising individuals. What’s more the attacker is not trying to cash in with a quick ransomware installation, but to gain control of bank account or payroll credentials for a longer term but more profitable attack. Of course, if the credentials don’t turn up, the attacker can still install ransomware later.
As always, don’t click on links in emails that you are not expecting, even if the source appears to be a trusted one. It’s also a good idea for enterprises to keep any online banking or financial management on a computer that is not used to read email. Since no defense is completely impenetrable, good security depends on compartmentalization as much as fortification.
UPDATE May 17, 2017. DocuSign has now confirmed that the email addresses targeted by this attack were harvested in a breach of their system. They state that, “…a malicious third party had gained temporary access to a separate, non-core system used for service-related announcements… only a list of email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed…”