A famous electronic document signing platform, DocuSign, fall prey to phishing attacks recently. Attackers used fake emails with COVID-19 related news to lure victims into clicking malicious links. Approx. 20,000 to 50,000 employees have received such impersonating emails over the last few weeks.
As explained, it is an e-platform allowing its user to sign all their documents digitally using an internet-enabled device. DocuSign is used by a lot of businesses and many self-employed citizens who can have documents of high importance stored in their systems. With the coronavirus forcing everyone to work from home and maintain a social distance, the use of this platform has skyrocketed in recent times. DocuSign is a well-established brand in the market with more than 85 million users worldwide. It is also present in 185+ countries. Indias biggest IT firm, TCS, is also an avid user of this software.
Luring the victim
Attackers are using the email that claims to be an automated email from DocuSign. The emails also include an attachment that supposedly contains a malicious link. The email says that this document is sent by “CU #COVID19 Electronic Documents” and it requires the user review. This generates curiosity about the document as the email has no further description of the document attached. Attackers have also used real images and other content that DocuSign uses in their official emails. All these add up to lure the victim into clicking the link to open the document.
What happens after?
As soon as the user clicks the link, the user is redirected thrice to reach a website with a fake DocuSign login page. The URL which is sent to the victim in the email is wrapped in text and is sent via a link of SendGrid. This helps the attacker the hide the link and the only way left with the victim to know the link address is by opening it. As soon as the user clicks on this, he is redirected multiple times. This technique is used so that it can bypass the email URL detection system. These detection systems are not equipped to crawl multiple redirects.
The fake login page!
After 3 redirections, the victim is finally landed on a fake login page which resembles DocuSgn’s actual login page. Attackers have managed to create a very close replica by using actual images which are displayed on the website. They also have used several links to DocuSign’s official website which makes this fake page look more legitimate. As soon as the user enters their credentials, they are recorded and transferred to the attackers. Using this technique they can not only hack in DocuSign account but can also hack the business account that is acclimated with it.
The attackers are trying to capitalize on users’ anxiety regarding the coronavirus. These are tough times and everywhere you go, you will get people discussing Covid-19. Be it in televisions, newspapers, or blogs, corona news is spreading like wildfire. The users want to keep them updated with the latest corona related news so that they can protect themselves and their families. As a result, any email with corona news automatically grabs more attention than any other topic. And hackers also realize this thing. They have tried to manipulate things in their favor since the beginning of this virus. There are COVID-19 based ransomware tools out there that are asking to pay in bitcoins. Several state-backed hacker groups are inciting fear among locals by spreading emails with fake news. A recent such attack was carried out by a Russia based group called “hades” which circulated fear inciting emails related to cornea virus. This led to a civil war-like scenario among Ukrainian people
Being aware of such phishing attacks is the best that one can do. Sharing the news with fellow employees using this tool can help them to prevent any such mishappening. Secondly, it always advised checking the email address from which you receive any email. Often, attackers use a misspelled version of the actual email address to confuse the victims. It is also advisable to look at all the pages with scrutiny before entering any credentials. People should follow extra precautions while opening up links and documents from emails.