The DocuSign phishing attack is the latest malicious tactic used to coerce computer users into entering their account credentials on a fake login page. Such actions can have very dangerous consequences and as a result can infect the system with various malware. Our guide shows how potenital targets can spot the scam and evade it.
|Name||DocuSign Phishing Scam|
|Type||Scam / Malware|
|Short Description||This scam uses harvested or stolen information about the users by posign as a legitimate service.|
|Symptoms||Displayed scam login pages.|
|Distribution Method||Via e-mail messages, redirects and browser hijackers .|
|Detection Tool|| See If Your System Has Been Affected by DocuSign Phishing Scam |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss DocuSign Phishing Scam.|
DocuSign Phishing Scam – Overview
The security community has alerted of a new threat — the DocuSign Phishing Scam. The hackers behind it have created a counterfeit site that poses as a legitimate login page for DocuSign, one of the leading electronic signature companies.
The practice makes use of two common tactics associated with these type of threats:
- Domain Name — The hackers use a similar sounding domain name — dacusign.^net VS docusign.com.
- Web Elements — The criminals have hijacked legitimate web elements that are used by the service.
Users can receive the DocuSign phishing scam through email messages. They are sent using a bulk distribution campaign and may either display the message itself or contain a long text-based body contents that redirect to the constructed site. In most cases the messages will be sent via the spoofed domain. Another tactic would be to spoof other users and send the messages through them.
Still the most popular method still remains the site itself. Users can get redirected to it via malicious redirects and scripts. They come under various forms, most commonly disguised as pop-ups, banners, redirects, in-line hyperlinks and etc. In many cases they can also make use of affiliate networks and users can access them via banners that can be found even on legitimate sites.
The criminals can also employ browser hijackers — they represent malicious web browser extensions that are usually spread on the plugin repositories and are advertised as useful additions. Most of them rely on fake developer credentials, false user reviews and elaborate descriptions. Once they are installed a common tactic is to reconfigure the browsers into redirecting to a hacker-controlled page.
The reason why the DocuSign phishing scam is being performed against computer users is that the hackers can easily steal information. The have prepared a fake DocusSign login page that requests their credentials (email address and password) that if entered allow the criminal controllers to attempt and use them for additional services. The dangerous fact about the scam is that it allows the users to use other services to login:
While the scam seems to primarily attempt to harvest user data it can have some very dangerous consequences. Apart from the hackers having access to a primary account credential. This information can then be used by the hackers to attempt and intrude into other accounts owned by the users.
A dangerous practice is the continued display of instructions to the victims. The hacker can lure them into downloading viruses of all kinds: Trojans, ransomware, worms and etc. A dangerous tactic is when the site loads scripts or plugins to the affected browsers. A possible case scenario is the introduction of cryptocurrency miners to the victim hosts — they use the available system resources in order to carry out complex mathematical calculations. The results are reported to a server and as a reward money is transferred to the criminal operators in the form of digital currency assets.