Accounts Not Payable: Unpatched WordPress Site and DocuSign Fake Email

DocuSign seems to be winning the popularity contest amongst cybercriminals as MailGuard intercepts a second phishing scam imitating the global electronic agreement provider in just a matter of days. The scam emails appear to come from a compromised account belonging to a U.S. immigration law firm, as recipients are presented with an email purporting to be from the Accounts Department notifying the victim of an ‘EFT confirmation’ in .pdf format. Other trusted names such as Office 365, Gmail and AOL have been impersonated in the process.  

Victims receive the following email, which claims to be powered by DocuSign.  

When the recipient clicks on the yellow ‘Review Document’ button in the email, they are taken to a fake DocuSign page, which although it appears to be legitimate, on closer look contains no other functionality than the email click-through buttons. The page advises victims that they can proceed to access the ‘Encrypted File(s)’ via a choice between three email logins catering to the user's preferences. Namely, ‘AOL’, ‘Office 365’ or ‘Other Email’.  

It is interesting to note that DocuSign has also been used again in the hosting website (‘DocuSign Global Standard for E Signature’), which is a compromised WordPress site, likely breached via an old plugin that is unpatched. The hosting address is unchanged throughout the whole scam.  

Clicking on each email option, will take users to respective counterpart login screens as per below. 

Scammers have tried to copy the branding and imagery of Office 365, this time using a somewhat outdated Christmas themed image. Note that this option also includes a message for the recipient to ‘learn more’ about how to get ‘free storage to save and share files’ under the guise of SkyDrive, a free storage platform offered to anyone that currently has a Microsoft account. Clicking on the ‘learn more’ button takes you to a legitimate Microsoft Support website. 

The hosting site and the imagery of the Google sign-in page is a replica of the original page that a Gmail account holder would use to sign-in to their email.  

DocuSign provides the following helpful advice regarding phishing scams using their name, which can be found on their website: https://www.docusign.com/trust/security/incident-reporting   

“Fake links  

1. Avoid fake links by accessing your documents directly from https://www.docusign.com using the unique security code found at the bottom of the DocuSign notification email.  

1. Always check where a link goes before you click on it by hovering your mouse over the link to look at the URL in your browser or email status bar (they should be hosted on docusign.com or docusign.net). A fraudulent link is dangerous and can:  

• Direct you to a fake website that tries to collect your personal data  
• Install spyware on your system (spyware is an application that can enable a hacker to monitor your actions and steal any login IDs, passwords, or credit card numbers you type)  
• Cause you to download a virus that could disable your computer  

Fake sender email address  

1. Fake emails may include a forged email address in the "From" field, which is easily altered. If you don’t recognize the sender of a DocuSign envelope, contact the sender to verify the authenticity of the email.  

Attachments  

1. DocuSign emails that request you to sign a document never contain attachments of any kind.  Don’t open or click on attachments within an email requesting your signature. DocuSign emails only contain PDF attachments of completed documents after all parties have signed the document. Even then, pay close attention to the attachment to ensure it’s a valid PDF file. DocuSign never attaches zip files or executables.  

Generic greetings  

1. Many fake emails begin with a generic greeting like “Dear DocuSign Customer.” If you don’t see your name in the salutation, be suspicious and don’t click on any links or attachments.  

False sense of urgency  

1. Many fake emails try to deceive you with the threat that your account is in jeopardy if you don’t provide immediate updates. They may also state that unauthorized transactions have occurred on your account or that DocuSign needs to update your account information immediately.  

Emails that appear to be websites  

1. Some fake emails are made to look like a website to get you to enter personal information. DocuSign never asks you for personal information, including login, ID, or password, via an email.  

Deceptive URLs  

1. Check the Web address. Just because the address looks OK, don't assume you're on a legitimate site. Look in your browser's URL bar for signs that you may be on a phishing site:  

• Often the Web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name, such as docusing.com instead of docusign.com  
• Look for tricks like substituting the number "1" for the letter "l" in a Web address or transposing consecutive letters of the brand, such as rea1estate.docusign.com instead of realestate.docusign.com  
• Your browser has ways of detecting certain types of malicious sites—always heed these browser warnings, especially when they notify you that the site or certificate can’t be trusted  

Misspellings and bad grammar  

1. While no one is perfect, fake emails often contain misspellings, incorrect grammar, missing words, and gaps in logic. Mistakes like this help fraudsters avoid spam filters.  

Unsafe sites  

1. The term "https" should always precede any website address where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure Web session, and you shouldn’t enter any personal data. A legitimate DocuSign sign-in page address always starts with “https://” not “http://.”  

Pop-up boxes  

1. DocuSign never uses a pop-up box in an email, because pop-ups aren’t secure.  

• DocuSign-themed fraudulent emails and websites: if you think that you’ve received a fraudulent email purporting to come from DocuSign, forward the entire email as an attachment to spam@docusign.com and delete it immediately.  

DocuSign-themed fraudulent emails and websites: if you think that you’ve received a fraudulent email purporting to come from DocuSign, forward the entire email as an attachment to spam@docusign.com and delete it immediately.”  

MailGuard urges all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity.   

MailGuard urges users not to click links or open attachments within emails that:  

• Are not addressed to you by name.  
• Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.  
• Are from businesses that you were not expecting to hear from, and/or  
• Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.   

One email is all that it takes  

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.  

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's network. 

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.