Pierluigi Paganini May 17, 2017

Hackers broke into the system of the technology provider DocuSign and accessed customers email addresses. The experts warn of possible spear phishing attacks.

The Electronic signature technology provider DocuSign suffered a data breach, hackers have stolen email addresses from one of its servers.

On Monday the company informed its customers of the data breach and warned them of fake emails set up to deliver weaponized Word documents, it also reported the incident to law enforcement agencies who are currently investigating the case.

The malicious messages appeared to come from addresses such as dse@docus.com and dse@docusgn.com, they have the following subject lines:

“Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature.”

Threat actor behind the DocuSign hack launched a phishing campaign against the customers of the firms, anyway, announced hackers have broken into a “non-core system.” designed for sending service-related email announcements to users.

Spear Phishing campaigns following a data breach represent a serious threat for customers of the hacked firm.

The company notified the incident to the customers and advised users to be vigilant and to report any suspicious email to spam@docusign.com.

“[The emails] may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like ‘docusgn.com’ without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than docusign.com or docusign.net,” DocuSign added.

According to DocuSign, hackers only accessed email addresses, there is no evidence that attackers accessed personal and financial information such as names, physical addresses, passwords, social security numbers, and payment card.

Below an excerpt from the data breach notification statement issued by DocuSign:

• Last week and again yesterday, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts on the DocuSign Trust Center and in social media.
• The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software.
• As part of our process in routine response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.
• However, as part of our ongoing investigation, yesterday we confirmed that a malicious third party had gained temporary access to a separate, non-core system used for service-related announcements.
• A complete forensic analysis has confirmed that only a list of email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

The company said it has blocked the hack and locked out attackers from its systems, it also announced additional security controls.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DocuSign, data breach)

[adrotate banner=”13″]