The DocuSign hack: how could you be affected?

Digital signature company DocuSign, known for largely digitising the signing and authorisaton of confidential documents, is the latest victim of hacking. The attack involves hackers gaining access to the email addresses of the service’s users and sending out spoofed, malware-riddled emails appearing to be from the DocuSign platform.

The result of the hack is a significant increase in spoofed emails purporting to be from DocuSign. While DocuSign has been the subject of phishing emails previously, the hackers’ direct access to its customers means it poses a bigger risk, as they can now directly target its customer base.

DocuSign was quick to point out that only email addresses of customers with DocuSign accounts were accessed, and not additional identifying information such as addresses, passwords, financial information, or any customer documents sent and signed through the service. This means that employees and clients of those with accounts are unlikely to receive spoofed emails as part of this malicious campaign. While this will be a relief to those affected, it’s still a significant issue. According to Forbes, the compromised email addresses could easily be matched up with personal data leaked elsewhere.

This means that dedicated hackers could obtain an email address from an employee of yours who has DocuSign and look up the company online. From there, they could use publicly accessible data to target your customers. Maybe you’ve got customer case studies on your website, or your customers promote you on their website; this is all information that a particularly scrupulous hacker could use to target your customers, sending a spoofed email purporting to be DocuSign on behalf of your business.

Email spoofing is a long-held tactic by hackers used primarily for phishing or spreading malware like Ransomware. Hackers will pretend to be either a reputable person or a company by mimicking their email branding, layout and tone of voice, with the aim of distributing malware or gaining credentials via phishing.

Companies like Apple are regularly spoofed, as hackers send out fake invoices or receipts in the hope of scaring the user into clicking the link to ‘access their account’; in reality the victim is directed to a fake website where they enter their details. Hey presto, you’ve been phished. You can find out more about the tactic of email spoofing, included hackers who spoof your colleagues and how to spot these emails, in our recent blog: email spoofing exposed.

DocuSign reports some of the malicious emails include subject lines like ““Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature” or “Completed *company name* – Accounting Invoice *number* Document Ready for Signature”. The emails come from a non-DocuSign domain – a key element in spotting a spoofed email – but come from similar glance-and-you’ll-miss-it domains like docus.com or docusgn.com.

It’s said that the emails contained a malicious attachment; an infected macro-enabled Word document hidden in the email links which, when clicked on and automatically downloaded, would install malware. This is a very common way to distribute Ransomware, which hit the headlines after a global attack brought the NHS, Telefonica and FedEx, amongst thousands of other businesses, to a halt.

What can I do to avoid falling victim to this hack?

If you’re a DocuSign customer, the hackers probably now have your email address. If you have an account with DocuSign, don’t click anything in an email purporting to be from DocuSign or carried via DocuSign. This advice is echoed by security researcher Brian Krebs, who recommends logging into your account for an accurate overview of any documents you need to action.

If you’ve ever used DocuSign before but you’re not a direct customer, you could still be targeted by this attack. Again, it’s highly recommended that you don’t click any links or download any documents included in, or attached to, emails supposedly from DocuSign. Always check with the person or company that the document is allegedly coming from to see if they really sent it. It might even be worth contacting your customers and letting them know about this to ensure they don’t fall for an email purporting to be from your business.

Additional advice on spotting spoofed emails can be found in our blog dedicated to email spoofing. This includes thoroughly checking the email domain (which is often the biggest giveaway; hackers can’t exactly replicate a domain so they’ll try to use something close to it), checking the email content and talking to the relevant person or organisation.

DocuSign has released a comprehensive PDF on spotting the emails and malicious domains that are known to them.

We’d recommend that all our customers be vigilant with any emails received from DocuSign. Follow the advice both in our blog and that issued by DocuSign and if in doubt, don’t click any links and speak directly to the person who allegedly sends you the document.