While WannaCry is Making Headlines Docusign Breach Quietly Endangers Users

Rather than write the 1000th post about WannaCry (although our Partners at Proofpoint, their Engineer Darien Huss and a fellow called MalwareTech deserve a serious shout-out from the world for stopping WannaCry) I decided to cover something with potentially huge financial implications that has virtually gone under the radar by comparison.

While WannaCry was grabbing the cybersecurity headlines for the week, it turns out that online signature giant DocuSign was more quietly and in a rather methodical fashion, publicly disclosing the details of a significant and serious cyberbreach themselves.

Here’s an abbreviated timeline of what we know so far from DocuSign themselves.

Update 5/9/2017 – Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature”.

The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

Update 5/15/2017 – Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: Completed *company name* – Accounting Invoice *number* Document Ready for Signature;The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

These emails are not associated with DocuSign. They originate from a malicious third-party using DocuSign branding in the headers and body of the email. The emails are sent from non-DocuSign-related domains including dse@docus.com. Legitimate DocuSign signing emails come from @docusign.com or @docusign.net email addresses.

Update 5/15/2017 – Latest update on malicious email campaign

Last week and again this morning, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts here on the DocuSign Trust Site and in social media. The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software. As part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.

However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

Update 5/16/2017 @ 8:55 Pacific Time – Key Update on Malicious Campaign

Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?
A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via docusign.com, through a partner integration, or via the DocuSign mobile client.

Update 5/17/2017 @ 1:02 PM Pacific Time – New Phishing Campaign Discovered Today

DocuSign has observed a new phishing campaign that began the morning of May 16 (Pacific Time). The email comes from “dse@dousign.com” with the subject “Legal acknowledgement for <person> Document is Ready for Signature” and it contains a link to a malicious, macro-enabled Word document. We suggest you do not open this email, but rather delete it immediately.

The Ultimate Phishing Scam?

This may very well be the ultimate spear phishing campaign. While the number of email addresses compromised has not been disclosed, we can assume it is A LOT and a considerable portion of those affected routinely use DocuSign multiple times a month, if not weekly or daily. Since DocuSign emails are both expected and “trusted” we can only further assume that these phishing campaigns are being effective. No official report on just how effective, so far, but perhaps we’ll get an update further details emerge.

It seems likely that this scam will continue for a very long time given that DocuSign reportedly has 100 million users.

The Lesson You Can Learn

“However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses.” (Emphasis added)

The lesson to be learned here is that in today’s world no part of your network can be considered “non-core” when it comes to security. If the data is worth saving within your network, it is worth protecting!

Konsultek and Its Partners

Konsultek and its partners like Proofpoint, CheckPoint, ForeScout, CarbonBlack and many others work together to build custom security solutions for businesses of all sizes in all markets. When you’re ready to learn about your network vulnerabilities and how to correct them please give us a call.

 

© Copyright 2018 Konsultek