Have you received an email asking you to sign a document using DocuSign? You’re not alone, and many people have been using DocuSign’s service to sign sensitive documents over the internet. Which makes this phishing scam just subtle enough to catch a lot of people off guard.
DocuSign is a web based service that allows people to sign documents in a secure environment without having to be there with the physical document. It’s being used by mortgage companies, corporations, legal offices, and just about anybody who requires multiple signatures at inconvenient times. Hence making it much easier for people to get those papers signed without the hassle of going into the requestors business.
Unfortunately, in the quest for convenience, security is always the first thing to be ignored. Because so many people are using the service it makes sense that some people are in the middle of a home mortgage or another legal process, where all you’re doing for days is signing an endless mountain of paperwork. This is when you’d expect to get caught off guard and accidentally open a malicious document.
So, what happened?
DocuSign gets breached. DocuSign has acknowledged the breach, and confirmed that ONLY users email addresses were accessed. These were users that signed up for an account with DocuSign. No documents were accessed and no information through the eSignature systems were accessed. So, no really important stuff. The phishing emails were sent using spoofed DocuSign branding and sent to their users and customers.
We have no evidence that there is any impact to any instance of DocuSign, and as part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.
– DocuSign’s Response Team
If you received the email from what you thought was DocuSign, you would have been asked to sign a document, as you would normally. However it would ask you to download a word document to sign, not the normal for DocuSign, but still within the realm of possibility. Of course, the word document is where we find the malicious macros. If you open the word document and macros are enabled in your Office application, it will initialize the malware.
So be careful out there. Conveniences are nice, but usually the first to fall.
For more information on the Phish itself, please check IOCs (indicators of Comprimise) document.