The phishing campaign saw emails spoof the DocuSign brand.
One of the most popular digital signature services, DocuSign, has fallen victim to a phishing campaign which compromised a database of customer email addresses.
The company has confirmed the data breach after tracking the phishing campaign on May 9. In a statement, the company said:
“Last week and again this morning, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts here on the DocuSign Trust Site and in social media. The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software.”
DocuSign confirmed that a malicious third party gained access to a “separate, non-core system that allows us to communicate service-related announcements to users via email.” In attempts to reassure customers, the eSignature firm stated that only email addresses had been accessed and no names, addresses, passwords, social security numbers, or credit card data had been compromised.
“Malicious email attachments are a critical threat as they can easily bypass traditional defences as part of sophisticated spear-phishing attacks,” said Steven Malone from Minecast.
READ MORE: DocuSign CEO: New chief Daniel Springer talks innovation, success as a public company and making paper obsolete with CBR
“All DocuSign customers need to educate users to be extra vigilant when opening any documents purporting to be from their service. Verify with the sender before opening any documents or clicking on any links. Criminals will try all manner of ways to trick employees into enabling macros in weaponized email attachments.”
The company has since put further security controls in place and is currently working with law enforcement agencies to investigate the breach. The company has also advised customers to delete any emails with the subject line as follows:
“Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”.