DocuSign warns against phishing scam

San Francisco-based DocuSign Inc., global provider of electronic signature and digital transaction management solutions, warned of a phishing campaign with malicious code that began circulating May 16, 2017. Company representatives recommend deleting and not opening suspicious emails that contain non-PDF attachments, suspicious URLs and spelling errors. The trending phishing attack from "dse@dousign.com" misspells DocuSign and contains a macro-enabled Microsoft Word document, they noted.

Preliminary reports from forensic investigators indicated no names, physical addresses, passwords or sensitive data were stolen. DocuSign customer privacy and documents remain intact, and the company has asked users to forward suspicious emails to spam@docusign.com.

Phishing attacks proliferate

Security analysts say DocuSign's use of push notifications makes the company attractive to email scammers. "The DocuSign business model relies on a DocuSign branding push via their notification emails, and that makes them and their customers more vulnerable to attacks such as this," said John Gunn, Chief Marketing Officer at VASCO Data Security International Inc. "No one is immune to the threat of attacks, but we believe that our twenty years of experience in the IT security segment is a real asset for us and our customers."

Doron Davidson, co-founder, Vice President Business Development and Customer Success at SecBI Ltd., noted the email scheme is a continuation of phishing trends designed to lure users to open malware-laden documents. "This illustrates that, time and again, cyber criminals manage to breach the trust between users and security vendors, and penetrate organizations," he said. "Even more worrying is the fact that the documents were weaponized with the Hancitor downloader. Hancitor downloads either the credential-stealing Pony, EvilPony or ZLoader malware."

Detection, containment

Davidson said it is fortunate that DocuSign detected and contained the breach before sensitive information was ex-filtrated across the company's 250,000 business accounts and 100 million end users. "We see this as another failure of prevention mechanisms and hope that many more organizations will assume a breach at one point or another and proactively seek to hunt these threats," he added.

The DocuSign security team posted the following additional recommendations on the company's website for protecting against phishing attacks:

• Leverage DocuSign's custom, automated tooling and threat intelligence feeds by forwarding suspicious emails to the company's spam detection service.

• Implement machine learning and algorithms to detect anomalies.

• Use performance dashboards and visualizations to detect phishing trends.

• Use DMARC: Domain-based message authentication, reporting and conformance to detect and reject spoof emails designed to look like DocuSign emails.

• Be proactive against attacks by conducting forensic investigations and credential seeding.

• Partner with security vendors and law enforcement organizations to stay current on trending activities in the ever-changing threat landscape.

Learning to properly detect and avoid online and email scams is the best protection against fraud, the company stated. "The Internet is a critical component to your business and to conducting business on the DocuSign Global Network," DocuSign analysts wrote. "Those committing fraud seek to take advantage of this trusted relationship for illegal purposes. DocuSign continuously monitors for such activity in order to help safeguard our customers' information, documents and data."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.