Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Email from:"DocuSign Electronic Signature and Invoice" - what's the story?  (Read 492 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6053
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

From: "DocuSign Electronic Signature and Invoice" <docusign@vsimportservices.com>

Has anyone seen this email before ? What is this about - trying to get you to download malware maybe"
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 23568
  • Over the Rainbow Bridge
    • The ELRepo Project

I suspect your suspicions are correct. Does the mail header show anything abnormal?
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6053
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

I cannot see anything suspicious about the headers. It was sent direct from the company vsimportservices mentioned. There is a load of html with a url in it which I thought was the only one that had the potential to be interesting and it was http://yapd.org/someloadofjunkpossbase64ididntcheck but when I try probing that web server it just times out. So I failed to work out what it was trying to do.

My best guess is that someone has taken someone's email format and inserted malicious urls into it. I eventually noticed some ungrammatical english - why can evildoers never manage to write english properly?
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3674

Actually, I do sometimes find it interesting to analyse spam, work out what was the intention and where they got the “sucker” email from.

In this case, a few mins on google reveal this to be a known phising attack, linking to a malicious word document.   The emails are obviously fake, and not genuine docusign.  See here...

https://www.docusign.com/trust/alerts/update-8222018-813-am-pacific-time-new-phishing-campaign-observed-today

More interestingly perhaps, it seems that docusign themselves were breached last year, leaking users’ email addresses.    This allowed the bad guys to target their spam with a decent probability that the recipient is actually using docusign’s services, and may mistake it for something that’s expected. See here...

https://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/comment-page-1/

Fairly sure I’ve been forced to use a service vaguely similar to docusign myself at some time, maybe to do business with solicitor or an accountant, or something?   I have never been comfortable with such goings on. :(
Logged

banger

  • Reg Member
  • ***
  • Posts: 751
  • Uno comms 80/20

Seems 7LM has your answer.
Logged
Tim
www.uno.net.uk & freenetname
Asus DSL-N55U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6053
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

thanks indeed to 7lm
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6053
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

Did I see something in one of those articles that you linked to about malefactors getting hold of a mail server even? I triedto find it again, but no luck. Maybe the drugs.

Thing is, I could not see anything funny about the headers at all. Some of the english was garbled which is what you would expect given required level of illiteracy in every evildoer. But as far as the source of the thing, it looked convincing to me.

So is it possible it was sent from a legitimate but perverted official server? Or did I just read that wrong.
« Last Edit: August 24, 2018, 07:59:08 PM by Weaver »
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3674

If the villains were just spoofing “from” or “reply to” I would expect that to be evident in the mail headers, eg as “SPF fail”.   But I think I read somewhere, on one of the trails I followed, that the emails were generated from a farm of compromised accounts. 

So far as I understand, that can effectively bypass SPF.    For example, I use Google Apps (or whatever they call it nowadays) as mail hosts for my various domains.   In order for my sent mail to pass SPF authentication I had to modify my domain DNS records to allow Google’s servers to send mail on behalf my domains.  All well and good.    But then, anybody who has stolen my Google credentials can connect to Google servers as me, send whatever spam they please, all passing SPF, as the sent spam originates from Google’s servers, as per genuine mail. :(

Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6053
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

You must surely be right, 7LM.
Logged
 

anything