Hackers Favorite Phishing Spot
The growth of phishing attacks in both frequency and sophistication continue to be a high threat with tradecraft showcasing deceptive, spear, and fraudulent techniques in one campaign. These cyber criminals have adapted to recognize user behavior luring those in organizations that must conduct specific services in their daily operations.
In mid-May, DocuSign, an electronic signature technology company, notified its customers that a core network had been compromised resulting in exploitation of user email addresses. The result allowed bad actors to send fraudulent DocuSign branded emails to users. DocuSign users are business professionals that conduct online approvals of a purchase, closings of a sale, or digitally signing an agreement. The malicious email customers received contained a subject line of “Completed: docusign.com—Wire Transfer Instructions for [recipient-name] Document Ready for Signature.” This type of phishing campaign using DocuSign as a cover requesting wire transfer of funds, dramatically increased the likelihood users would click on the embedded malicious link.
Each email contained a link that, when clicked, downloads a malicious Word document file to the victim’s computer. Reported analysis of the Word document found that it contained a malicious macro that executes Hancitor, a commonly seen malware dropper. If macros are enabled on a victim’s computer, Hancitor downloads and installs EvilPony and Zloader, data stealing malware. The infected system will subsequently call out to command and control sites operated by the cyber criminals.
In related activity, ActiveCanopy Cyber Operations Center has seen at least two phishing campaigns against client networks utilizing the DocuSign phishing method. Some of the indicators of compromise were masked Docusign links to some of the following domains.
This type of activity highlights the daily need for employees to remain vigilante and understand the indicators of a possible fraudulent email. Training and continuous security awareness will greatly reduce infiltration of nefarious actors into your business operations. As this phishing campaign demonstrated, these criminals understand whom to target within businesses that have the likelihood of processing sensitive digital data. Businesses need to condition employees to question suspicious emails that could have made it past corporate network filters, as each deceived employee represents an opportunity to capture credentials, intercept communications, exfiltrate data, and more.