Slashdot Mirror
Breach at DocuSign Led To Targeted Email Malware Campaign (krebsonsecurity.com)
Digital signature service DocuSign said Monday that an unnamed third-party had got access to email addresses of its users after hacking into its systems. From a report: DocuSign, a major provider of electronic signature technology, acknowledged today that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. The company stresses that the data stolen was limited to customer and user email addresses, but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign. [...] In an update late Monday, DocuSign confirmed that this malicious third party was able to send the messages to customers and users because it had broken in and stolen DocuSign's list of customers and users.
I use DocuSign on a regular basis for work and have received over 20 fake emails in the last few days. These emails are particularly well drafted (as far as phishing emails go) and are easily mistaken with the real thing. DocuSign has yet to send out any warning message to its customers. Pretty poor handling from their part...
What they should *immediately* do is expire all passwords and force users to reset their password on next login.
What companies SHOULD do in a case of a breach, and what actually happens is usually on complete opposite sides. It's quite sad that companies have not figured out to have set policies and quicker responses to any breach of customer data.
Sent from my TARDIS
You think the fishers won't send emails to users saying "Your password has expired. CLICK HERE to change it."?
What exactly is the nature of the attack? Are the phishers trying to get fake documents, like a quickclaim deed transferring property to a bad guy, signed?
As opposed to our current commander in chief who you don't even have to hack to get leaked intelligence. You just have to get him boasting about how great he is.
It doesn't sound like docusigns passwords were breached nor the accounts compromised. The attackers likely just got the user list.
The attackers likely aren't the least bit interested in your docusign account, and are just using the fact that they have your address and know you use docusign to send you better crafted phishing emails to deploy generic malware/ransomware/etc.
You won... quit whining and bask in the success of your cheeto in chief.
What they should *immediately* do is expire all passwords and force users to reset their password on next login.
Why would they do that? User passwords weren't stolen.
What exactly is the nature of the attack? Are the phishers trying to get fake documents, like a quickclaim deed transferring property to a bad guy, signed?
I am not sure whether you are either trolling or lazy to look for infos. I don't use docuSign but I could make a guess from its name -- trusted content of email. The attackers could be sending a link to a malicious web page or infected file to recipients. If you use docuSign, you wouldn't need to worry that the link or file is unsafe. It is like a 3rd party who verifies the sender for you...
I received one of these emails, and since I was expecting documents from a mortgage company, totally fell for it. It the attachment tried to redirect me to some foreign electronics company. Fortunately the website had been blacklisted already.
We all know how hard it is to secure an entire network (although companies like Google, Amazon, and Microsoft seem to have figured it out for the most part). Most people will forgive a company that gets breached, but they MUST come clean and be completely honest and transparent. Just like with any other transaction, I don't expect perfection, but I expect a company to try to make things right if they happen to go wrong. Otherwise, I find another company to do business with.
This sort of secrecy in the face of a breach is inexcusable. In fact, maybe it should be *illegal*. I'm not certain, but at the moment, I think that only applies to financial institutions (although I think California has such a law). I'm not typically one to screech "there aughta be a law!" when anything bad happens, but I consider this basic consumer protection at this point, as more of our business and personal infrastructure goes online. By not sending out a warning e-mail, DocuSign is (obviously) favoring its own reputation over its customers safety.
Irony: Agile development has too much intertia to be abandoned now.
I've had 3 or 4 emails made to look like they were from Docusign over the past week or two...easily distinguishable if you look at the sender's domain -- which is the first thing I did b/c I wasn't expecting any documents to sign. Not-so-technical users should beware, with targeted phishing you're gonna have a bad time.
Agreed! I knew I was getting phishing emails that were made to look like they were from Docusign, but had no idea there was a breach until Slashdot told me.
I received one of these emails, and since I was expecting documents from a mortgage company, totally fell for it. It the attachment tried to redirect me to some foreign electronics company. Fortunately the website had been blacklisted already.
I admittedly did fall for the first one, but luckily I run uMatrix which kept whatever it was that was trying to run from running. Took that happening for me to realize I should looked at the email headers before opening an unsolicited email from Docusign...do I even technology bro?
I work for a heavy DocuSign user and we received 1000's of emails from a Russian IP block (109.86.203.0/24) sending the phishing emails. I'm escalating the issue to our DocuSign sales reps and their management. I believe that security only gets better when customers demand companies pay attention to it.
You would expect a company like that to know how to sign their emails.
I heard about spoofed emails with fake wiring instructions for choosing funds.
I hate when companies make me share sensitive info with Docushare. We need to as an industry stop outsourcing functions that require users to share personal info. It just shifts accountability to third parties that nobody in their right mind should ever trust. It shifts accountability outside the organization to a place where there is no accountability.