DocuSign announced that a malicious third party had accessed "a separate, non-core system that allows us to communicate service-related announcements to users via email."
"A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, Social Security numbers, credit card data or other information was accessed," the company added. "No content or any customer documents sent through DocuSign's eSignature system was accessed; DocuSign's core eSignature service, envelopes and customer documents and data remain secure."
However, the stolen emails were sufficient to launch a highly targeted phishing campaign.
Targeted Phishing Attacks
DocuSign is specifically warning its customers to delete any emails with the subject lines, "Completed: [domain name] -- Wire transfer for recipient-name Document Ready for Signature," "Completed [domain name/email address] -- Accounting Invoice [Number] Document Ready for Signature," "Completed: docusign.com - Wire Transfer Instructions for recipient-name Document Ready for Signature," or "Completed [company name] - Accounting Invoice *number* Document Ready for Signature."
The emails come from domains designed to look like DocuSign, such as docusgn.com or docus.com.
"These emails are not from DocuSign," the company stated. "They were sent by a malicious third party and contain a link to malware spam."
The company is advising users to ensure that their anti-virus software is up to date, and is asking users to forward any suspicious emails to email@example.com.
Ajay Uggirala, director of product marketing at Imperva, told eSecurity Planet by email that the cost associated with phishing campaigns has gone down over the past year, making it even easier to launch them. "As we see in this attack, even the most tech savvy companies and users can fall victim to phishing," he said. "It just takes one well-crafted email to be clicked by one person. Therefore, we must not be complacent when it comes to user training and awareness."
"And remember, if you are not 100 percent sure an email is genuine -- no matter how urgent it sounds -- it is always better to check with your IT team first," Uggirala added.
1.9 Million Email Addresses
Separately, Bell Canada announced earlier this week that an anonymous hacker illegally accessed approximately 1.9 customers' email addresses, and approximately 1,700 customers' names and phone numbers.
"There is no indication that any financial, password or other sensitive personal information was accessed," the company stated, adding that the incident is not connected to the WannaCry ransomware campaign.
CBC News reports that a person or group claiming responsibility for the Bell Canada breach posted a list of email addresses online along with a statement saying they were "releasing a significant portion of Bell.ca's data due to the fact that they have failed to cooperate with us."
"This shows how Bell doesn't care for its customers safety and they could have avoided this public announcement," the post stated. "Bell, if you don't cooperate more will leak :)"
Jason Hart, vice president and CTO for data protection at Gemalto, said by email that the Bell Canada attack highlights a trend of hackers casting a wide net and using easily attainable account information as a starting point for high-value targets.
"While no passwords were accessed, the hackers will likely run the email addresses against known databases of stolen passwords from other sites to see if there are any commonly used words, to try and crack the Bell email passwords," he said.
"CSOs and security teams need to adopt a situational awareness to user access and data they store and move," Hart added. "This is something hackers already are doing. As an industry, we need to take a hint from them and know our surroundings, meaning understanding exactly where data resides, who has access to it, how it is transferred, when it is encrypted/decrypted -- really the entire supply chain of digital users and the data."
Photo courtesy of Shutterstock.