Mimecast By Kian Mahdavi, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) has found a phishing campaign that aims to yield users’ credentials by exercising references to DocuSign. At first glance, the email is kept short and sweet in a bid to lure the user into viewing the invoice. Proofpoint and Microsoft’s Secure Email Gateway (SEG) both detected and failed to stop the phishing campaign. It’s claimed that the success of this attack was the skillfully concealed legitimate links within the (.PDF) attachment.
Here’s what happened:
Figure 1: Email body
The subject of this phish is a vague “Invoice attached,” guiding the user to learn more. The sender’s display name is William G. Kern, however the email address begins to read as “bill.kern”; could this be a possible mistake from the attacker? One would expect the display name and email address to correspondingly match with one another. As we pan down, we note the name of the attachment is in numerical order, with no indication of a detailed transaction, calling the attention of inquisitive users.
Following on from the above, the email features just two sentences, first thanking the user for their “business” and second, encouraging the user to contact the sender by means of telephone should there be any discrepancies. The norm would be to touch base with one another via email, providing full anonymity and leveraging their spoofing techniques, which is a perfect social engineering tactic from the attacker.
Figure 2 – Attached PDF
The above screenshot displays what the attachment looks like when opened. Behind the “authentication required” message is a document with a substantial amount of text, including two bulky signatures. Perplexed users are led to suppose they are steps closer to unveiling the invoice.
It’s important to note the importance that the subdomain “myemail” plays in this attack, which is hosting the initial malicious webpage, rather than the compromised root domain “constantcontact[.]com.” Consider the social engineering dialect toward the end of the URL below. It’s a troubling yet effective methodology that attackers use to spread phishing sites.
Figure 3 – Redirect Malicious DocuSign Link
Upon clicking the hyperlinked “Review” button in Figure 2, the website “myemail[.]constantcontact[.]com” opens up within the default browser. Because of the legitimate service, such campaigns almost certainly pass email authentication techniques such as DKIM/SPF. Better still, the built-in SSL certificates shown in the address bar allow the domain to become “trusted,” presenting the green padlock at the beginning of the URL. It appears the domain had been purchased and hosted from namecheap[.]com, a web-hosting platform.
Figure 4 – Payload Phishing Site
The sequel to this campaign is a somewhat similar “DocuSign” phishing site inviting users to enter their credentials.had.
DocuSign does not require an account to log in. The document would be sent via email from [email protected][.]net, allowing recipients to review the document, implement a signature and complete the signing process.
Upon logging in, the user is under the impression he or she has been authenticated via a legitimate DocuSign. At this point, the user’s credentials are unfortunately in the hands of the threat actor.