The DocuSign malware attack that occurred in mid-May is noteworthy because it highlights a go-to tactic popular with cyber criminals at the moment: account takeovers.
Attackers will first steal email data or credentials and then use them to launch highly targeted phishing campaigns. The one-two punch targets anyone with an email address and is becoming increasingly common.
DocuSign confirmed on May 15 that a spate of malware phishing attacks was the result of email addresses and account logins stolen by hackers. DocuSign, a major provider of electronic signature technology, stressed that stolen data was limited to customer and user email addresses. But this made the attack all the more dangerous as it targeted users who would be expecting to click on links sent by the company. Anyone and everyone with an email address is a target.
The San Francisco-based startup had been tracking a malicious email campaign as early as May 9. But at that time, the company said that the malicious emails—which linked to a downloadable Microsoft Word document harboring malware—were not associated with DocuSign. Then, on Monday, May 15, DocuSign confirmed that hackers were able to send the emails because they had hacked and stolen the company’s list of users.
According to Steve Malone, director of security product management at Mimecast, a cloud-based email security provider, the attack followed a classic pattern. Several common phishing tactics were used, including spoofed domains visually similar to the original, a seemingly harmless document, and social engineering to persuade the victim to download and open the file.
What made the attack different, however, was that the phish resulted from the theft of a list of DocuSign users. This allowed the hacker to specifically target people who are familiar with the service and thus more likely to open the file. This formed step one of a two-step attack.
The second step was to target those users with the aim of installing information-stealing malware on their devices. Security & Compliance Officer Rahul Iyer of cloud-based email security firm The Email Laundry, believes the Word document installs the Hancitor download. The Hancitor download will then download credit-stealing malware. Reports suggest that Pony, EvilPony and ZLoader malware are being used.
No end in sight
Directly after the initial wave of attacks, Mimecast noted that key elements of the phishing email began to change. Small iterations, like changing the subject line, ensure successful hits for hackers. And attacks, part of a billion-dollar industry, show no sign of stopping anytime soon.
Iyer advises organizations to take email security seriously, if they aren’t already. The primary concern for users is that their email addresses are now “in the wild” and will be used for other phishing/spam campaigns. “So, anyone who received one of these DocuSign phishing mails should be alert for other phishing emails,” he says.
Attackers change tactics
The breach is part of a growing trend of cyber criminals shifting from data theft to account takeovers. It’s not just access to data that hackers get. It’s a way into a company. Malone describes a scenario where gaining access to a corporate webmail system allows hackers to send phishing emails literally inside an organization. Users are much more likely to open something they see a colleague has sent, so the likelihood of infection increases.
Brute force attacks are on the rise, too. Distil Networks, a cybersecurity vendor that monitors bot traffic, identified over 567 billion malicious bot requests in 2016. Part of that was a significant spike in attempts to break into online accounts. Hackers are combining the brute force nature of bots with millions of stolen usernames and passwords to see what works. Even if no one acted on your data stolen several years ago, you are still at risk. A bot eventually will find it, and if you share a password between several websites, hackers may be able to force their way into your account.
Education best defense
One of the reasons such attacks are so successful is that they are able to bypass standard cybersecurity defenses. Only users could have prevented attacks by refraining from downloading the file. “Malicious email attachments are a critical threat as they can easily bypass traditional defenses as part of sophisticated spear-phishing attacks. All DocuSign customers need to educate users to be extra vigilant when opening any documents purporting to be from their service,” Malone says.
Whether your company has been caught in the DocuSign attacks or not, it is recommended your organization and employees follow cybersecurity best practices. These include never sending your personal information from an unsecured email, changing passwords frequently, ensuring employees are properly trained, and enlisting the help of a cybersecurity provider.
In the end, a little paranoia goes a long way. Malone advises users to verify with the sender before opening any documents or clicking on any links. “Criminals will try all manner of ways to trick employees into enabling macros in weaponized email attachments. So, users should think twice before they click.”