Over the last week or so I’ve received two batches of slightly different DocuSign phishing attempts. They are typical “click a link in the email that downloads a malicious .doc you have to enable macros in” attacks, though the first time I’ve seen DocuSign as the bluff. Also somewhat interesting that these attacks seem to actually be coming from variants of DocuSign’s domain, instead of random hacked/commandeered email accounts.
Version 1
On May 9th, within about 3 1/2 hours I received 3 separate, yet similar (template, anyone?) DocuSign phishing emails from (note the missing ‘i’ in the domain):
Cameron Smith via DocuSign <dse@docusgn.com>
With the following contents:
REDACTED – Wire Transfer Instructions for jason Document Ready for Signature
Your document has been completed REVIEW DOCUMENT All parties have completed REDACTED – Wire Transfer Instructions for jason Document Ready for Signature. Please review and sign your Wire Transfer Instructions for jason via DocuSign by clicking on the “Review Document” button above. Signing will not be complete until you have reviewed the agreement and confirmed your signature. Please make sure to fill out the TaxID if you are requesting for credit terms. Please let us know if you have any questions. Thank you. Powered by DocuSign Do Not Share This Email This email contains a secure link to DocuSign. Please do not share this email, link, or access code with others. Alternate Signing Method Visit DocuSign.com, click ‘Access Documents’, and enter the security code: 4C263 EC8E62F44E7A631B3474758 E2171 About DocuSign Sign documents electronically in just minutes. It’s safe, secure, and legally binding. Whether you’re in an office, at home, on-the-go — or even across the globe — DocuSign provides a professional trusted solution for Digital Transaction Management (TM). Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly or replying to this email. If you are having trouble signing the document, please visit the Help with Signing page on our Support Center.
The redacted portion in the email contents and in the subject were the domain in my email address. I assume the “jason” they got was from my email account, as well (I typically capitalize my name in any forms I manually fill out).
Unfortunately, by the time I began writing up this post the domains no longer resolved actual webpages (first two show GoDaddy page to purchase the domain, third fails to resolve DNS at all). The XXXXXXXXXXXXXXXXXXXXXXXX’s are replacing unique base64-encoded strings that were composed of [4-digit number][my email address][different 4-digit number]. In each instance, all of the 4-digit numbers were different and seemingly unrelated.
As is common in phishing attacks, the two links near the bottom (“Help with Signing” and “Support Center”) both point at the corresponding, legitimate DocuSign pages.
Version 2
On May 15th, I received 5 new emails within about 3 1/2 hours, this time the email address format was the same, but with a new domain and varying names
Dillon Holmes via DocuSign <dse@docus.com>
Anthony Washington via DocuSign <dse@docus.com>
Christopher Labert via DocuSign <dse@docus.com>
Thomas Gilmore via DocuSign <dse@docus.com>
Caleb Holmes via DocuSign <dse@docus.com>
This time the email subject was also a bit different. REDACTED was the email domain, and XXXXXX was a random 6-digit number:
Completed REDACTED – Accounting Invoice XXXXXX Document Ready for Signature
The body:
Your document has been completed REVIEW DOCUMENT jason@REDACTED All parties have completed [E]REDACTED – Accounting Invoice 833536 Document Ready for Signature. Please review and sign your [E]REDACTED – Accounting Invoice 833536 via DocuSign by clicking on the “Review Document” button above. Signing will not be complete until you have reviewed the agreement and confirmed your signature. Please make sure to fill out the TaxID if you are requesting for credit terms. Please let us know if you have any questions. Thank you. Powered by DocuSign Do Not Share This Email This email contains a secure link to DocuSign. Please do not share this email, link, or access code with others. About DocuSign Sign documents electronically in just minutes. It’s safe, secure, and legally binding. Whether you’re in an office, at home, on-the-go — or even across the globe — DocuSign provides a professional solution for Digital Transaction Management (TM). Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly or replying to this email.
Besides the obvious change in premise (invoice vs wire transfer), this version uses my full email address and just the domain from my email address, and also is missing the last paragraph of fine print (including legitimate links) that the first version contained.
The [Review Document] buttons in version 2 were links to:
Again, note the Base64 encoded strings containing numbers and my email address.
All five links instantly downloaded a file named “Legal_acknowledgement_for_jason.doc”. The first one contained the following page 1 (of 8), as is typical of .doc malware:
Microsoft Office Oops, something went wrong… Please follow these steps: This document is only available for desktop or laptop versions of Microsoft Office Word Click Enable editing button from the yellow bar above Once you have enabled editing, please click Enable content button from the yellow bar above
Interestingly, the document showed 572 words and the first page seemed to be an image. Copying the remaining text showed repeated 4 times with ~10-15 blank lines between each instance:
Outside, yellow, gold, and red leaves were leaping from swaying trees, landing on the roof, jumping off the roof, and then chasing one another down the street in tiny whirlwinds of merriment.
“If I was a leaf, I would fly clear across the world,” Tommy thought and then ran out into the yard among the swirl of colors. Tommy watched in fascination.
Mrs. Pennington came to the front porch.
“Tommy, I have your jacket. Please put it on.”
However, there was no Tommy in the front yard.
“Tommy?”
Tommy was a leaf. He was blowing down the street with the rest of his play-mates.
A maple leaf came close-by, touched him and moved ahead. Tommy met him shortly, brushed against him, and moved further ahead. They swirled around and around, hit cars and poles, flew up into the air and then down again.
This seems to be a few paragraphs out of a short story called “High and Lifted Up” by Mike Krath (link to first search result of text). Relevant? probably not…
Of course, I expect as is typical, once I click “Enable Editing” and “Enable Content” (turn on Macros), a macro will run to download some nasties and infect my computer, but I don’t care to go through the effort of reverse engineering at the moment.
