Over the last week or so I’ve received two batches of slightly different DocuSign phishing attempts. They are typical “click a link in the email that downloads a malicious .doc you have to enable macros in” attacks, though the first time I’ve seen DocuSign as the bluff. Also somewhat interesting that these attacks seem to actually be coming from variants of DocuSign’s domain, instead of random hacked/commandeered email accounts.
On May 9th, within about 3 1/2 hours I received 3 separate, yet similar (template, anyone?) DocuSign phishing emails from (note the missing ‘i’ in the domain):
Cameron Smith via DocuSign <[email protected]>
With the following contents:
REDACTED – Wire Transfer Instructions for jason Document Ready for Signature
The redacted portion in the email contents and in the subject were the domain in my email address. I assume the “jason” they got was from my email account, as well (I typically capitalize my name in any forms I manually fill out).
The [Review Document] buttons were links to:
Unfortunately, by the time I began writing up this post the domains no longer resolved actual webpages (first two show GoDaddy page to purchase the domain, third fails to resolve DNS at all). The XXXXXXXXXXXXXXXXXXXXXXXX’s are replacing unique base64-encoded strings that were composed of [4-digit number][my email address][different 4-digit number]. In each instance, all of the 4-digit numbers were different and seemingly unrelated.
As is common in phishing attacks, the two links near the bottom (“Help with Signing” and “Support Center”) both point at the corresponding, legitimate DocuSign pages.
On May 15th, I received 5 new emails within about 3 1/2 hours, this time the email address format was the same, but with a new domain and varying names
Dillon Holmes via DocuSign <[email protected]>
Anthony Washington via DocuSign <[email protected]>
Christopher Labert via DocuSign <[email protected]>
Thomas Gilmore via DocuSign <[email protected]>
Caleb Holmes via DocuSign <[email protected]>
This time the email subject was also a bit different. REDACTED was the email domain, and XXXXXX was a random 6-digit number:
Completed REDACTED – Accounting Invoice XXXXXX Document Ready for Signature
Besides the obvious change in premise (invoice vs wire transfer), this version uses my full email address and just the domain from my email address, and also is missing the last paragraph of fine print (including legitimate links) that the first version contained.
The [Review Document] buttons in version 2 were links to:
Again, note the Base64 encoded strings containing numbers and my email address.
All five links instantly downloaded a file named “Legal_acknowledgement_for_jason.doc”. The first one contained the following page 1 (of 8), as is typical of .doc malware:
Interestingly, the document showed 572 words and the first page seemed to be an image. Copying the remaining text showed repeated 4 times with ~10-15 blank lines between each instance:
Outside, yellow, gold, and red leaves were leaping from swaying trees, landing on the roof, jumping off the roof, and then chasing one another down the street in tiny whirlwinds of merriment.
“If I was a leaf, I would fly clear across the world,” Tommy thought and then ran out into the yard among the swirl of colors. Tommy watched in fascination.
Mrs. Pennington came to the front porch.
“Tommy, I have your jacket. Please put it on.”
However, there was no Tommy in the front yard.
Tommy was a leaf. He was blowing down the street with the rest of his play-mates.
A maple leaf came close-by, touched him and moved ahead. Tommy met him shortly, brushed against him, and moved further ahead. They swirled around and around, hit cars and poles, flew up into the air and then down again.
This seems to be a few paragraphs out of a short story called “High and Lifted Up” by Mike Krath (link to first search result of text). Relevant? probably not…
Of course, I expect as is typical, once I click “Enable Editing” and “Enable Content” (turn on Macros), a macro will run to download some nasties and infect my computer, but I don’t care to go through the effort of reverse engineering at the moment.