DocuSign Data Breach Led to Targeted Email Malware Campaign

By Sushma Chowta

While everyone seems to be busy in WannaCry ransomware, there were two other breaches which took place, one in Docusign which is a major provider of electronic signature technology and another one was Bell Canada which is Canada’s largest telecommunications company.

Ransomware is a type of malicious software which encrypts or locks access to your data and ask you to pay ransom amount to get access to your own data. There are two types of Ransomware:

  1. Encryptors: It is designed in a way that the hackers can deny access to you for using your own system and will ask for money so that the hackers can provide a decrypt code to unlock the access.
  2. Lockers: It locks the access of files or system so that you will not be able to access it. In this case, the files that are hacked are not encrypted, but the hackers will ask for ransom money to be paid to get access to your files or system.

Below are few characteristics that allow Ransomware to be different from Malware:

  • It can encrypt all the files which can be documents, videos, pictures or any other things which are saved on your system.
  • It will reflect an image which will show that your data has been encrypted and you need to pay ransom money to get access to the data again.
  • The ransom payments have some time limit. If in case you do not make the payment and the time limit exceeds then your data will be damaged, and you will never be able to get access to it again.
  • It can easily proliferate to other systems causing damage to them also.
  • It will encrypt or scramble your data so that you will not be able to know which data is This is used by social engineers to confuse the users and let them pay for such ransom. 

Why Ransomware creators and distributors target home users:

  • They do not have backup of their data
  • They do not have education on cyber security
  • They do not update their applications or software

Why Ransomware creators and distributors target business users:

  • They have the capability to pay ransom
  • The attackers are aware that if such damage is caused, the business will be affected which in turn is loss of revenue for the business.
  • Ransomware not only can damage the on premise systems but can also effect cloud services.

Below are few details how DocuSign data was being affected:

What exactly happened?

The hacker could get access to DocuSign emails and steal their data which contains the email address of their customers. They could only get access to steal email address of the customers, and no other sensitive data were stolen.

The phishing email sent by the hacker was identical as the company email. It contained the company logo as well as other details so that the customers can click on the link and the hacker can then steal their information.

What type of information was stolen?

The DocuSign assured their customers that no personal information of their customers had been leaked like their names, passwords, security numbers or credit card details. The only email addresses were stolen. The company has asked the customers not to click on any unknown emails or even sign any documents.

How many were affected?

They haven’t confirmed the number of victims affected, but they have made sure that their customers use DocuSign trust center to get protected from such phishing attacks.

What is the company doing to save such loss?

To protect their customers and any more data to be leaked DocuSign has restricting unauthorized access to their systems and has also ensured security protection on their systems so that it will not be easy for anyone to access their website.

What should the customers do?

DocuSign alerted its customers that if they receive any email from DocuSign does not respond to such emails and to forward such emails in company’s spam address. In case their customers need to access documents then they can directly visit their official site by entering the security code provided in the email.

The emails sent to the customers included DocuSign branding, and it even looked like a similar domain. Each email sent had a subject line saying, “Document Ready for Signature.”  DocuSign admits that only customer’s emails were hacked. The attachments that were used might be to steal passwords and banking credentials.

Ref: http://thehackernews.com/2017/05/DocuSign-data-breach.html

https://heimdalsecurity.com/blog/what-is-ransomware-protection/