Electronic signature and digital transaction management firm, DocuSign, reported email address theft on May 15. Despite there being no loss of personal information during the theft, DocuSign say that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to users via email.
The incident has left the company and its users in a vulnerable state because the victims are now targets of phishing email attacks which are targeting corporate emails where the victims are asked to review and sign work-related documents by clicking on the “Review Document” button/link. The link however, when opened, injects malware in the system’s process svchost.exe.
Upon clicking on the link, the injection process sends a request to the following malicious URLS:
- civerusenuch.ru
- noaninghedled.ru
The malware then automatically downloads itself onto the system and as part of its methods, it steals personal credentials from the Chrome browser and Microsoft Outlook. It has also been reported by McAfee Labs that the malware records a user’s keystrokes. With all of these, important data is extracted from the system and the attacker(s) can proceed to send out fake phishing emails cloaked in DocuSign emails using contact information extracted from Outlook. The email will appear to be genuine and the content may appear to make sense since the attacker(s) would have done their homework regarding the email addresses of intended recipients.
DocuSign has reported that they have taken quick measures to block the unauthorized access and have added further security to their systems. The company has also advised its users to keep their anti-malware software updated.
In the meantime, if you receive emails originating from ‘DocuSign’, it may be best to confirm with the sender that they have in fact sent you the file. Ask if there’s another way to have the document signed.
IntelliTeK are always up to date with the latest threats to emails and IT security which is why we only partner with the best in the industry. If your company isn’t fully equipped to fend off cyber criminals, then get in touch with us so we can discuss your options. Call us on 1300 768 779, email us at info@intellitek.com.au, fill out the web form, or have a Live Chat with us below.