Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Email from:"DocuSign Electronic Signature and Invoice" - what's the story?  (Read 887 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6263
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

From: "DocuSign Electronic Signature and Invoice" <docusign@vsimportservices.com>

Has anyone seen this email before ? What is this about - trying to get you to download malware maybe"
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 23889
  • Over the Rainbow Bridge
    • The ELRepo Project

I suspect your suspicions are correct. Does the mail header show anything abnormal?
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6263
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

I cannot see anything suspicious about the headers. It was sent direct from the company vsimportservices mentioned. There is a load of html with a url in it which I thought was the only one that had the potential to be interesting and it was http://yapd.org/someloadofjunkpossbase64ididntcheck but when I try probing that web server it just times out. So I failed to work out what it was trying to do.

My best guess is that someone has taken someone's email format and inserted malicious urls into it. I eventually noticed some ungrammatical english - why can evildoers never manage to write english properly?
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3702

Actually, I do sometimes find it interesting to analyse spam, work out what was the intention and where they got the “sucker” email from.

In this case, a few mins on google reveal this to be a known phising attack, linking to a malicious word document.   The emails are obviously fake, and not genuine docusign.  See here...

https://www.docusign.com/trust/alerts/update-8222018-813-am-pacific-time-new-phishing-campaign-observed-today

More interestingly perhaps, it seems that docusign themselves were breached last year, leaking users’ email addresses.    This allowed the bad guys to target their spam with a decent probability that the recipient is actually using docusign’s services, and may mistake it for something that’s expected. See here...

https://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/comment-page-1/

Fairly sure I’ve been forced to use a service vaguely similar to docusign myself at some time, maybe to do business with solicitor or an accountant, or something?   I have never been comfortable with such goings on. :(
Logged

banger

  • Reg Member
  • ***
  • Posts: 765
  • Uno comms 80/20

Seems 7LM has your answer.
Logged
Tim
www.uno.net.uk & freenetname
Asus DSL-N55U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6263
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

thanks indeed to 7lm
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6263
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

Did I see something in one of those articles that you linked to about malefactors getting hold of a mail server even? I triedto find it again, but no luck. Maybe the drugs.

Thing is, I could not see anything funny about the headers at all. Some of the english was garbled which is what you would expect given required level of illiteracy in every evildoer. But as far as the source of the thing, it looked convincing to me.

So is it possible it was sent from a legitimate but perverted official server? Or did I just read that wrong.
« Last Edit: August 24, 2018, 07:59:08 PM by Weaver »
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3702

If the villains were just spoofing “from” or “reply to” I would expect that to be evident in the mail headers, eg as “SPF fail”.   But I think I read somewhere, on one of the trails I followed, that the emails were generated from a farm of compromised accounts. 

So far as I understand, that can effectively bypass SPF.    For example, I use Google Apps (or whatever they call it nowadays) as mail hosts for my various domains.   In order for my sent mail to pass SPF authentication I had to modify my domain DNS records to allow Google’s servers to send mail on behalf my domains.  All well and good.    But then, anybody who has stolen my Google credentials can connect to Google servers as me, send whatever spam they please, all passing SPF, as the sent spam originates from Google’s servers, as per genuine mail. :(

Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6263
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick

You must surely be right, 7LM.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6263
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Email from:"DocuSign Electronic Signature and Invoice" - what's the story?
« Reply #9 on: September 26, 2018, 08:44:39 PM »

A vaguely similar looking email has arrived from a domain associated with Romania but claims to be @makro.co.za

It has some crap about ‘signing’ some ‘document’ and has an attached document of some sort.

I wonder if it is an attempted attack?

Quote
Return-Path: <Zainab.Savahl@makro.co.za>
Delivered-To: weaver@—weaver—.me
Received: from h-hopeless.aa.net.uk ([::1])
   by g-hopeless.aa.net.uk with LMTP id iDACLJR3q1snTAAADvaTfA
   for <weaver@—weaver—.me>; Wed, 26 Sep 2018 13:12:04 +0100
Received: from h-hopeless.aa.net.uk ([::1])
   (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
   by h-hopeless.aa.net.uk with LMTP id kGScKJR3q1vgJQAAM0EZCw
   ; Wed, 26 Sep 2018 13:12:04 +0100
Delivery-date: Wed, 26 Sep 2018 13:12:04 +0100
Received: from saturn.itpower.ro ([81.180.116.40])
   by h-hopeless.aa.net.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
   (Exim 4.89)
   (envelope-from <Zainab.Savahl@makro.co.za>)
   id 1g58fi-0003j8-Pj
   for weaver@—weaver—.me; Wed, 26 Sep 2018 13:12:04 +0100
Received: from localhost (localhost [127.0.0.1])
   by saturn.itpower.ro (Postfix) with ESMTP id D8AE92105796;
   Wed, 26 Sep 2018 13:59:22 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at saturn.itpower.ro
Received: from saturn.itpower.ro ([127.0.0.1])
   by localhost (saturn.itpower.ro [127.0.0.1]) (amavisd-new, port 10026)
   with ESMTP id Dnbv4aM-7Q8T; Wed, 26 Sep 2018 13:59:21 +0300 (EEST)
Received: from [45.35.32.17] (unknown [45.35.32.17])
   (Authenticated sender: comenzi@casadecomenziacasa.ro)
   by saturn.itpower.ro (Postfix) with ESMTPSA id CED0921057C7;
   Wed, 26 Sep 2018 13:58:31 +0300 (EEST)
Content-Type: multipart/mixed; boundary="===============1963043328=="
MIME-Version: 1.0
Subject: PO - 4506363903 from MAKRO SA
To: Me <Zainab.Savahl@makro.co.za>
From: "Zainab Savahl" <Zainab.Savahl@makro.co.za>
Date: Wed, 26 Sep 2018 03:57:33 -0700
Message-Id: <20180926105922.D8AE92105796@saturn.itpower.ro>
X-Message-Linecount: 47639
X-Connected-IP: 81.180.116.40:40872
X-Body-Linecount: 47620
X-Message-Size: 3665614
X-Body-Size: 3664700
X-Received-Count: 4
X-Recipient-Count: 1
X-Local-Recipient-Count: 1
X-Local-Recipient-Defer-Count: 0
X-Local-Recipient-Fail-Count: 0
X-AA-Info: Message NOT spam scanned, as it is over 900k (3665614 bytes). 2018-09-26 13:12:04
X-AA-Info: Message ran through Aliases
X-Spam-Mark-Threshold: 3
X-Spam-Reject-Threshold: 4
X-Spam-User: weaver@—weaver—.me
X-Spam-Flag: NO
X-Resolved-To: weaver@—weaver—.me
X-Delivered-To: weaver@—weaver—.me
X-Message-Age: 2
X-SpamSubject:
X-AA-BETA: r=v_u m2= m3= m4= m5= m8= m9= reqint=30
X-AA: LMTP delivered 

You will not see this in a MIME-aware mail reader.
--===============1963043328==
Content-Type: multipart/alternative; boundary="===============1393093866=="
MIME-Version: 1.0

--===============1393093866==
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body

Please refer to the attached PO document.
Please ensure that this document is signed and returned to the sender.
Any further queries kindly contact sender of this email.


 Disclaimer
 =

Massmart Ethics: Tell us if we don't do what is Right, Fair, Honest and Leg=
al. Free call 0800 20 32 46 or email Massmart@ethics-line.com (Massmart's E=
thics Line is managed confidentially by Deloitte Tip-offs Anonymous)

To view the Email Disclaimer, click on the hyperlink: Massmart Email Discla=
imer
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 23889
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Email from:"DocuSign Electronic Signature and Invoice" - what's the story?
« Reply #10 on: September 26, 2018, 08:58:33 PM »

A vaguely similar looking email has arrived from a domain associated with Romania but claims to be @makro.co.za

It has some crap about ‘signing’ some ‘document’ and has an attached document of some sort.

I wonder if it is an attempted attack?

Don't even think about attempting to open the "document". It will be a poisonous attack vector.  :(
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6263
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Email from:"DocuSign Electronic Signature and Invoice" - what's the story?
« Reply #11 on: September 26, 2018, 09:13:11 PM »

I am hoping that the document would have been neutered by the mail system if it had an executable in it. That is what my old inbound mail server was set up to do anyway. But it would probably be a Windows or DOS executable anyway and I have an iPad so no danger. Also my former windows boxes used to have SRP set up so no downloaded exes or anything saved in temp dir or anything in fact saved other than in approved directories only accessible with write permissions to admins would not be allowed to run.
« Last Edit: September 26, 2018, 09:17:37 PM by Weaver »
Logged

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 1093
Re: Email from:"DocuSign Electronic Signature and Invoice" - what's the story?
« Reply #12 on: September 26, 2018, 09:13:46 PM »

I wonder if it is an attempted attack?

Yep!
Logged
Line rental: Pulse8, Broadband: AAISP Home::1 FTTC 80/20, Mobile: id Mobile

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3702
Re: Email from:"DocuSign Electronic Signature and Invoice" - what's the story?
« Reply #13 on: September 26, 2018, 11:24:35 PM »

@Weaver, such emails must always be assumed malicious.  And you must assume the payload will succeed, regardless of what actions your mail server, or your anti-spam, might take, and regardless of whatever OS you are using.

But from previous posts I get the impression that you are quite IT literate, and you know all that, and so I assume you are joking, to provoke debate.   If so, I would advise caution, as some readers will land on threads like this, taking it at face value. :o
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6263
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Email from:"DocuSign Electronic Signature and Invoice" - what's the story?
« Reply #14 on: September 27, 2018, 05:30:18 AM »

Good advice from sevenlayermuddle. Even though I know exactly what I am doing, with thirty years experience and having worked as a security consultant, the advice always has to be just bin anything even slightly ‘off’ and do not open attachments
Logged