Share:

By Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has found a phishing campaign that aims to yield users credentials by exercising references to DocuSign. At first glance, the email is kept short and sweet in a bid to lure the user into viewing the invoice. Proofpoint and Microsoft’s Secure Email Gateway (SEG) both detected and failed to stop the phishing campaign. It’s claimed that the success of this attack was the skillfully concealed legitimate links within the (.PDF) attachment.    

 Here’s what happened 

Figure 1: Email body 

The subject of this phish is vague “Invoice attached,” guiding the user to learn more. The senders display name is William G. Kern, however the email address begins to read as “bill.kern”; could this be a possible mistake from the attacker? One would expect the display name and email address to correspondingly match with one another. As we pan down, we note the name of the attachment is in numerical order, with no indication of a detailed transaction, calling the attention of inquisitive users.   

Following on from the above, the email features just two sentences, first thanking the user for their “business” and second, encouraging the user to contact the sender by means of telephone should there be any discrepancies. The norm would be to touch base with one another via email, providing full anonymity and leveraging their spoofing techniques, which is a perfect social engineering tactic from the attacker. 

Figure 2 – Attached PDF

The above screenshot displays what the attachment looks like when opened. Behind the “authentication required” message is a document with a substantial amount of text, including two bulky signatures. Perplexed users are led to suppose they are steps closer to unveiling the invoice.

It’s important to note the importance that the subdomain “myemail” plays in this attack, which is hosting the initial malicious webpage, rather than the compromised root domain “constantcontact[.]com.” Consider the social engineering dialect toward the end of the URL below. It’s a troubling yet effective methodology that attackers use to spread phishing sites.

“hXXps://myemail[.]constantcontact[.]com/The-latest-news-for-you.html?”

Figure 3 – Redirect Malicious DocuSign Link

Upon clicking the hyperlinked “Review” button in Figure 2, the website “myemail[.]constantcontact[.]com” opens up within the default browser. Because of the legitimate service, such campaigns almost certainly pass email authentication techniques such as DKIM/SPF. Better still, the built-in SSL certificates shown in the address bar allow the domain to become “trusted,” presenting the green padlock at the beginning of the URL. It appears the domain had been purchased and hosted from namecheap[.]com,  a web-hosting platform.

Figure 4 – Payload Phishing Site

The sequel to this campaign is a somewhat similar “DocuSign” phishing site inviting users to enter their credentials.had.

DocuSign does not require an account to log in. The document would be sent via email from dse@docusign[.]net, allowing recipients to review the document, implement a signature and complete the signing process.

Upon logging in, the user is under the impression he or she has been authenticated via a legitimate DocuSign. At this point, the user’s credentials are unfortunately in the hands of the threat actor.

Network IOCs

IPs

hXXps://myemail[.]constantcontact[.]com/The-latest-news-for-you.html

208[.]75[.]122[.]131

hXXps://domainnameonline[.]net/

199[.]188[.]200[.]202

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.