DocuSign Phishing Campaign Includes Hancitor Downloader

Electronic document exchange vendor DocuSign warned on Monday of a wave of phishing emails targeting its customers with links to malicious Word documents. The campaign, it said, was tied to an earlier breach of its computer networks where hackers were able to gain “temporary access” and exfiltrate an undisclosed number of customer email addresses.
DocuSign, with 100 million users and 250,000 business accounts, said “no names, physical addresses, passwords, social security numbers, credit card data or other information” were stolen by the hackers.
Related Posts
Phishing emails spoofed the DocuSign brand and included a hyperlink to a Word document that contained a malicious macro. If the document is downloaded and the macro is enabled, it delivers the Hancitor downloader. Next, Hancitor downloads either the credential stealing Pony, EvilPony or ZLoader malware, said Gregor Perotto, senior director, global corporate marketing and communications for DocuSign.
Earlier this year, researchers had reported a lull in the distribution of spam spreading information-stealing malware via Hancitor. That dry spell ended in January when SANS Internet Storm Center noted a sharp increase in spam containing links to download Word documents with macros that, if enabled, downloaded Hancitor.
The DocuSign malicious email campaign began last week, according to the company. That’s when DocuSign said it began tracking emails that featured the subject line “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature”.
On Monday, DocuSign again reached out to customers informing them that it was continuing to track the malicious email campaign and that the subject line changed. It now read, “Completed company name – Accounting Invoice number Document Ready for Signature”, according to the company. Emails also had links to downloadable Word documents that contained Hancitor. Spoofed sender email address included @docusign.com or @docusign.net domains, DocuSign said.
“As part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed,” the company said.
探讨基于云的帐户管理方案,云计算时代的帐户管理是个问题,虽然并不那么严重,但是仍然呼唤创新的云IAM解决方案。
It reiterated that the breach did not impact the privacy of customer documents sent through DocuSign’s eSignature platform. It is encouraging customers who receive malicious emails to forward them to spam@docusign.com.
Still unknown is how many DocuSign email addresses were stolen.
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识
Security experts report incidents of macro-based malware have steadily been on the rise in 2016. In the enterprise, Microsoft reports, 98 percent of Office-targeted threats still use old-school macro-based attacks.
The increase in macro-based attacks began earlier last summer, and criminals have been increasingly turning to Office macros to deliver malware versus using more traditional means such as exploit kits.
网站如果没有足够的内部安全技术力量,需要订阅在线漏洞扫描和网站安全监控的服务,也要购买定期的网站安全渗透测试服务。

猜您喜欢

济南女大学生网购演唱会门票付款后却被拉黑 1500元打水漂
一分钟了解信息安全基础知识
网络安全法宣传视频系列001《网络安全法》背景知识
习近平:传承丝路精神
MULTI-NEWS TIMFOUSTMUSIC
信息安全知识检验