Since May 9, PhishLabs has tracked multiple phishing campaigns that uses DocuSign branding that lures victims into downloading malicious files. These campaigns followed a breach of a DocuSign database containing user email addresses. Each of the campaigns associated with this breach contain similar, yet distinct, characteristics. The third, and most recent, campaign was launched on May 17.
The following highlights the primary characteristics in each of the campaigns:
Campaign #1: May 9, 2016
Subject: “Completed: [email domain] – Wire Transfer Instructions for [recipient username] Document Ready for Signature”
Phishing campaign #1 lure.
Campaign #2: May 15, 2016
Subject: “Completed [email domain] - Accounting Invoice [######] Document Ready for Signature”
Phishing campaign #2 lure.
Campaign #3: May 17, 2016
Subject: “Legal acknowledgement for [recipient username] Document is Ready for Signature”
Phishing campaign #3 lure.
In each campaign, the lure contains a link that, when clicked, downloads a malicious Word document file to the victim’s computer. The naming format for the most recent campaign is “Legal_acknowledgement_for_[recipent’s email username].doc.” An analysis of the Word document found that, like the previous two campaigns, it contains malicious macros that executes Hancitor, a widely-used, fileless malware dropper. If macros are enabled on a victim’s computer, Hancitor downloads and installs Pony, an information stealer. With Pony installed, the infected PC can send information to and receive new updates and instructions from a server operated by the cybercriminals.
Based on the presumed size of the DocuSign breach and the fact that each campaign seems to be sent to only a subset of the overall population of compromised email accounts, it is likely that these campaigns will continue.
To reduce risk, organizations can take the following steps:
- Condition employees for these phishing attacks by conducting phishing awareness campaigns that simulate the latest DocuSign phishing lures.
- Train employees to report phishing attempts via the proper channels.
- Put a high priority on reviewing reported phishing attempts to detect DocuSign phish that make it past corporate email filters and into user inboxes.
- Analyze reported phishing emails and any payloads they deliver ASAP, initiating incident response when necessary.
- Feed threat indicators collected from DocuSign phishing emails and payloads into corporate email and network security tools.
- Obtain additional threat indicators from external intelligence sources (peers, open source reports, subscription feeds)
Resources from DocuSign:
DocuSign is providing additional information and details about the latest campaigns on their DocuSign Trust site: https://trust.docusign.com/en-us/. They released document outlining the indicators of compromise that can be found here: https://trust.docusign.com/static/downloads/DocuSign%20IOC%20Ref%20Materials_05162017.pdf).
DocuSign customers can also contact support lines through https://support.docusign.com/en/contactSupport, to get a list of the email addresses belonging to their account that may be affected.
Additionally, you can follow @askdocusign for updates on twitter.