Massive Docusign Phishing Attack After Breach
Docusign is one of the major eSigning providers in the country. eSigning allows customers to electronically sign documents instead of having to go somewhere to place a pen on paper and sign those documents with ink. As a result of this convenience, eSigning is extremely popular. It is used in every industry vertical where document signing is a part of the process.
Docusign noticed an uptick in phishing emails targeting its customers this month. The emails targeted existing customers of Docusign. Docusign says that they have 100 million users in their system.
Initially they thought that this was just another of many generic phishing attacks, but they soon realized that the hacker had too much very realistic information. Docusign had been hacked.
The company discovered that what they call a non-core system had been compromised and their customer list taken. At this time the company says that no financial information or signed documents were taken, but what was taken – names and emails – allows attackers to launch a very targeted attack against Docusign customers.
The way the attack works is that the customer receives an email that looks strikingly like a real Docusign request EXCEPT that it is asking the user to download and open a Word document – something that Docusign does not do. Of course, most Docusign customers do not know this. If they do open the document and follow the rest of the instructions from the attacker, the user’s system is now compromised. The attacker can do whatever he or she wants to do.
While this campaign uses a Word document, the next campaign could use something else – maybe a malicious URL.
For companies that use any eSigning technology, it appears that now would be a good time to educate your users about what a legitimate eSign request looks like and what an eSign phishing attack looks like.
For the mortgage industry, which is a big user of eSign technology, this is just another attack vector. Just like the industry has set up processes to warn its clients about fake wire transfer requests, it looks like the industry now has to warn its clients about fraudulent eSign requests. Today it is Docusign; tomorrow is could be any Docusign competitor. In fact, any mortgage purchase or refinance client could be a target – eSign or not. After all, clients are deluged with requests during the mortgage process and it is very hard for clients to know what is real and what is fake.
Another day, another opportunity.
Information for this post came from KnowBe4 and KrebsOnSecurity.