Think twice before clicking on any emails claiming to be from DocuSign, as the electronic signature service confirmed Tuesday that as many as 100 million customer emails have been stolen.
An email database was breached last week according to DocuSign, and the company has since tracked a targeted phishing campaign leveraging the stolen credentials.
Malicious emails containing downloadable malware on a Microsoft Word attachment have been targeting DocuSign users with subject lines that either read, “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” or “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature.” The emails are spoofed, pretending to be from DocuSign in order to trick recipients into opening and installing the malicious software.
“A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed,” writes DocuSign in a security update. “No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”
Although only email addresses were hacked, cybercriminals can still leverage this information to personalize phishing campaigns. As in email marketing, the more relevant a spoofed email is, the more likely it will be opened. Hackers often utilize stolen data from multiple leaks to construct their phishing campaigns.
DocuSign says it is working with law enforcement agencies and has put further security controls in place, but recommends that users forward any suspicious emails to firstname.lastname@example.org and then immediately delete them. The company also suggests that users ensure their anti-virus software is enabled and up-to-date, as well as review DocuSign’s white paper on phishing available online.
One of those new security controls measures is apparently not email authentication, as docusign.com is still at risk of being phished. The domain name has a defined DMARC record, according to ValiMail’s DMARC Domain Status Checker, but the record specifies that no enforcement take place for messages that fail authentication. This means that unauthorized email, like from cybercriminals, can still be sent from the domain name docusign.com.
“They have a permissive policy that allows anyone to send as them,” says Alex Garcia-Tobar, CEO of ValiMail. “It’s monitored, but not stopped.”
Email authentication can be a tricky, technical problem and Garcia-Tobar says he sees email authentication being stuck in the monitoring phase often. To combat this security gap, ValiMail offers an automated cloud service that guarantees DMARC authentication and enforcement.
Since docusign.com currently lacks proper DMARC enforcement, cybercriminals could still send “millions of emails to those leaked email addresses,” says Garcia-Tobar.
For example, an email could claim to link to an apology from DocuSign’s CEO and instead contain malware. Or an email could request users update their password information to phish additional login credentials.