The latest target for hackers is the world of electronic documents. News has come in that scammers have used a malicious DocuSign campaign attempting to steal the credentials of over 10,000 people.
Looking into the background surrounding this issue for Digital Journal is Joe Gallop, Cyber Threat Intelligence Manager at Cofense.
Gallop begins by considering the overall vulnerability of electronic document systems: “DocuSign spoofing is common for a reason. DocuSign-themed phishing emails regularly make their way past secure email gateways and into users’ inboxes.”
Phishing is a form of identity theft where cybercriminals build webpages that impersonate well-known websites (in part or whole) with the goal to steal sensitive information, such as usernames/passwords and credit card details.
One reason for this is due to the popularity of the service, as Gallop assesses: “While the campaign identified by Armorblox shows how DocuSign can be spoofed in mass phishing campaigns (with no personalized information or document content), we’ve also seen it used in very targeted ways.”
“At first glance, the email seems to be a legitimate communication from DocuSign, with the sender name being manipulated by the attacker, reading DocuSign,” reads the the Armorblox technical write-up.
“However, the email address and domain show us no association to the company – hard to see on mobile devices where end users frequently open email communications from,” the Armorblox statement continues.
In terms of specific campaigns of concern, Gallop identifies: “Recently, we identified a spear-phishing campaign that specifically targeted dozens of executives across multiple industries (but primarily in the insurance industry), asking execs to sign a “Settlement Agreement” or “Distribution Agreement”, rather than the generic documents used in untargeted campaigns.”
There are more dangerous attacks out in cyberspace. Gallop draws these to attention: “In even more subversive attacks, threat actors will actually create real DocuSign documents rather than just spoofing DocuSign in an email, in hopes that recipients will let down their guard after reaching the DocuSign domain. The threat actors then place malicious links in the document, leading victims to click through to phishing pages or other malicious resources.”
