Popular digital signature service DocuSign today confirmed that hackers have been able to access customer e-mail addresses from one of its systems.
Hackers are now sending phishing e-mails to DocuSign customers, tricking them to click on links containing malicious software.
DocuSign has added that while one of its systems was breached and e-mail addresses stolen, the hackers in question have not been able to obtain names, physical addresses, passwords, social security numbers, credit card data or other information of customers. Hackers have also not been able to penetrate the firm's core eSignature service, envelopes, customer documents or other data.
DocuSign is now advising customers not to open e-mails with subject lines like “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”. These e-mails contain malicious software which can invade computers and mobile phones and possibly gain root access.
At the same time, DocuSign has also advised customers not to click on links which do not start with either https://www.docusign.com or https://www.docusign.net. If you are a DocuSign subscriber, you need to forward any such malicious e-mails to firstname.lastname@example.org before deleting them.
"We have taken immediate action to prohibit unauthorized access to this system, we have put further security controls in place, and are working with law enforcement agencies," said the firm. It added that the leaked e-mail addresses belonged only to DocuSign customers and 'were stored in a separate, non-core system used for service-related announcements.'
The DocuSign event is yet another addition to a flurry of phishing attacks conducted by hackers on businesses, vendors and customers this year. While a phishing scam earlier this month gained access to Gmail contact lists and spammed hundreds of accounts, many top US universities, including the Carnegie Mellon University, were targets of a potent phishing attack. A similar phishing scam in April swindled $100 million from the likes of Google and Facebook.
"A large enterprise has a number of backstops and usually has a response ready when it happens. But a small organization … the initial infection can probably lead to something more serious and greater," says Stephen Cobb, senior security researcher at ESET. The fact that smaller firms often act as vendors or suppliers to bigger firms exposes the larger firms to phishing attacks or data breaches.
According to Symantec, while only 18% of all businesses targeted by phishing attacks in 2011 were small businesses employing up to 250 people, the figure rose to 43% in 2015. At the same time, the percentage of large businesses falling victim to such phishing attacks came down from 50% in 2011 to 35% in 2015.