12-14-2012 12:44 PM
Jdmc – Thank you for your follow up post. Our apologies for not getting back to you sooner. We updated the communication at www.docusign.com/spam with more details to reach as broad an audience as possible. We are continuing to investigate the spam incident and are aggressively working with law enforcement agencies to take further action.
From our investigation, 85%+ of the forwarded emails to email@example.com and calls to our support team regarding this spam incident have been from individuals who do not have a DocuSign account. Like your question above, we have received questions from others asking how a third party may have obtained their email addresses. Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then “phishing” for personal information via phone calls, spam emails, or fake web sites that contain malicious viruses designed to capture email directories, contacts, and other personal data. Even in the case of an email that is used only for a specific purpose, like your DocuSign account, that email is susceptible to these sort of "phishing" scams as noted by Frank.
The security and privacy of our customers' documents, personal information and data are our top priority. Our investigation thus far has shown that the DocuSign eSignature network has been and remains secure.
We'd be happy to speak further with you to talk through any additional security and privacy concerns. If this would be of interest, please send us an email (firstname.lastname@example.org) with your contact info. Thanks.
12-14-2012 01:35 PM
Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then “phishing” for personal information via phone calls, spam emails, or fake web sites that contain malicious viruses designed to capture email directories, contacts, and other personal data. Even in the case of an email that is used only for a specific purpose, like your DocuSign account, that email is susceptible to these sort of "phishing" scams
Speaking in general, what you say is true. But that's not how anybody got their hands on the unique email address with which I created my DocuSign account on August 11 of this year. I have never used or disclosed it anywhere except when creating the account. I probably logged into the DocuSign website a couple of times with it, but I've never received any DocuSign phishing emails, and I've never actually used DocuSign's services. I have an information-technology background and am highly attuned to phishing attempts. There is NO WAY my uniquely-created DocuSign email address could have fallen into the hands of spammers except by being leaked from DocuSign's data systems. Period.
There is plenty of reason to believe that the email addresses of a great many other DocuSign account-holders were also leaked, but because those email addresses were not uniquely created for DocuSign, the affected users have no way of knowing where those addresses were leaked from. This is the primary reason for creating unique single-use addresses in the first place: it makes data breaches traceable to the source. That is exactly what has happened here with DocuSign.
The fact that I created my DocuSign account, and the unique single-purpose email address associated with it, on August 11 tells us that the DocuSign data breach happened after that date. I suggest you focus your investigation accordingly.
12-14-2012 02:00 PM - edited 12-14-2012 02:13 PM
I realize that many people reading this thread may not understand what I mean when I talk about creating "unique single-use email addresses", so let me explain.
I own multiple Internet domain names. Let's imagine that one of them is "mydomain.com". First, what I do is set up "catch-all" email service on that domain. This means that an email message sent to any address in that domain (email@example.com) gets delivered to me.
Once I've done that, it's easy to create arbitrary, unique, single-purpose email addresses, on the fly, whenever I want to. For example, if I set up an account at Amazon.com, I can use the email address "firstname.lastname@example.org". If I set up an account at the New York Times website, I can use the email address "email@example.com". I can even encode a date-stamp into an address if I want to know when I used it. For example, if I fill out an online survey somewhere today, I could provide the email address "firstname.lastname@example.org", where the "12z14" is code for today's date, December 14, 2012.
Again, because the email handling at my domain is set to deliver messages to me regardless of the part of the address before the "@" sign, I don't have to manually add all the ad-hoc special addresses that I create. They all get delivered automatically.
One benefit of doing this is that if I find at some point that I'm receiving spam at some address in my domain, I can simply configure my email service to reject or discard any messages sent to that address. Kaboom, no more spam.
Another benefit is that if I begin receiving spam at an address that I created specifically for a particular service or website, and which I never used or disclosed anywhere else, I know that the address was somehow leaked from (or sold by) that service or website. Over the past ten years, it's been quite fascinating to watch what services and websites this has happened with.
This is exactly the process that has revealed to me that DocuSign leaked the unique address that I provided when I created my DocuSign account.
12-14-2012 02:46 PM - edited 12-14-2012 04:17 PM
01-24-2013 12:08 PM
I just received a phishing type email delivered to my unique single use email address specifically created and only used here on DocuSign. I just called customer support who, after keeping me on hold for 15 minutes before I ever spoke to anyone, did ABSOLUTELY NOTHING to reassure me that my information and or my client's information on the company servers is safe or secure.
It clearly is a SECURITY BREACH AT DocuSign. I read the lame attempts to point the finger elsewhere but I am here to tell you that the breach wasn't on my end either. I have top of the line security software on my system and watch it like a hawk. I know which of my vendors have been hacked using similar techniques as jdmc. I expect it from most but not from banks and not from those who built their business based on digital identity verification. The email address that I use with DocuSign is a standalone POP account and not a forwarding account. That is what I do for vendors that I plan on using for a long period of time.
My trust in DocuSign has been shaken and feel as though I may no longer be able to remain a customer. I mentioned that to the nice Indian woman who answered the phone. She didn't know what to say other than to forward the email to email@example.com. Knowing that you are using an Indian service to handle customer service tells me they have access to our information and there are many ways to breach an extended network.
01-24-2013 03:02 PM
I am getting these on both my accounts, each a different email address that are aliases to my own domain. Docusign = Compromised.
X-Originating-Ip: [220.127.116.11] Received: from SEFE69.seaprod.com (unknown [192.168.72.11]) by mailsea.docusign.net (Postfix) with ESMTP id H9WEL4VLT9B9 for <<xxx>>, <XXXX>>; Fri, 25 Jan 2013 01:24:48 +0700 X-DKIM: Sendmail DKIM Filter v2.8.2 mailsea.docusign.net 8EWPLBUCZMUM Received: from docusign.net ([127.0.0.1]) by SEFE19.seaprod.com with Microsoft SMTPSVC(7.5.7601.17514); Fri, 25 Jan 2013 01:24:48 +0700 Sender: DocuSign System <firstname.lastname@example.org>
Received-SPF: neutral (google.com: 18.104.22.168 is neither permitted nor denied by best guess record for domain of email@example.com) client-ip=22.214.171.124; Authentication-Results: mx.google.com; spf=neutral (google.com: 126.96.36.199 is neither permitted nor denied by best guess record for domain of firstname.lastname@example.org) email@example.com
Message-ID: <54CV0R3S99T79PQVCP12IVL9B6L72Q@docusign.net> Date: Fri, 25 Jan 2013 01:24:48 +0700 Subject: Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf
<p>Sent on behalf of <a class="LinkStyle" href="http://188.8.131.52/turnround/index.html">DocuSign Support</a>.</p>
It was redirected to this site which I'm still investigating. Appears to affect Chrome. So don't click it. 14.sofacomplete.com h00p://14.sofacomplete.com/chrome/
01-25-2013 11:31 AM
Thank you for your post in the DocuSign Community. We apologize for the 15 minute delay in speaking with you over the phone. Let me assure you that the security and privacy of our customers' documents, personal information, and data are our top priority, and that our forensic investigation has confirmed that the DocuSign eSignature service and our customers' documents, personal information and data are and remain secure.
From the first malware spam attacks late last year to the most recent attacks this week, DocuSign has and continues to aggressively investigate and work with both antivirus software providers and law enforcement agencies to take appropriate action.
We have received questions from individuals asking how a third party may have obtained their email address. Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then "phishing" for personal information via phone calls, spam emails, and/or fake web sites that contain malicious viruses designed to capture email directories, contacts and other personal data.
DocuSign has taken immediate actions to protect both customers and non-users of our eSignature service from these malicious third parties, including:
* DocuSign immediately assembled our internal security team and launched a forensic investigation.
* We notified users of the potential of spam attacks via docusign.com, docusign.net and email.
* We contacted antivirus vendors including Symantec, McAfee, Microsoft Forefront, and others, along with law enforcement agencies, to notify them and enlist their support in fighting spam.
We have noted the following steps in our communications that you can take to protect against spam:
* DO NOT OPEN any zip files or executable attachments, or click on any links within DocuSign branded emails that go anywhere other than https://www.docusign.com or https://www.docusign.net
* FORWARD any suspicious emails to firstname.lastname@example.org to help with our forensic efforts
* Immediately DELETE the spam email
* Ensure your antivirus software is up to date and enabled
Also, ensure your spam filter look-up is turned on so your mail server checks that the originating IP address is actually owned by the sender. You may also check https://www.docusign.com/spam for ongoing updates related to malware spam email. Again, thank you for your post and our apologies for the delayed experience you received over the phone.
01-25-2013 12:02 PM
I see that DocuSign's official response to this issue -- namely, to deny that any data breach has taken place -- hasn't changed over the past six weeks. Since MRider is still posting the same party line, I will refer readers back to my earlier post in this thread demonstrating the inadequacy of DocuSign's attempt to explain away the clear evidence of a breach.
01-25-2013 02:30 PM
I agree, 'no security breach' does not explain how I would receive a targeted attack sent to both of my accounts used for signing a doc in the same email. There is no random or a lucky guess. I am new user as of mid Aug 2012. Sure this could be spun for users of free and work email domains but not for system admins of their own domain/networks. I’ve setup mail aliases to catch leaks just like this.
If there is no evidence of internal network breach then you should be looking for a man in the middle attack. Maybe investigating your own IT staff (anyone recently let go) for leaking/selling your user list. Neither of those methods would show up in your security logs.
Other leaks not detectable: Docusign outsourcing the marketing data for update notifications and advertisements to a 3rd party. Outsourcing your email service to another company (spam, AV filtering, proxy services). A compromised server in the same data center could be data sniffing unencrypted traffic or has collected enough raw packet data to brute force the secure connection. Backup servers or tapes located at different locations. Recycled equipment like hard drive arrays. Someone with admin rights could cover up the breach because job security in IT doesn’t exist. I am only posting these ideas to make a point. These have a far better chance to be true than someone randomly guessing the email address I used was linked to signing a document. Passing the buck on this isn’t going to suffice. There are too many users affected that do not fall into the category of uninformed users.
The only other explanation in my case is the 3rd party user at the time of the document signing was compromised. That would mean a majority of everyone else targeted was also using Redfin. Any other suggestion of the ‘not us’ answer is too much of a massive coincidence.
Using SPF/DKIM records does nothing but bump up the spam score; unless emails are being rejected that fail tests. That’s not very realistic as many other mail servers do not support or enforce DKIM or SPF records. The scores for positive spam could be beaten to allow this email through. This does absolutely nothing if the attacker is using a valid email account that’s been compromised or an MTA exploited via the loopback address. If the attacker didn't get my address in the first place, it wouldn't be an issue. BTW I use DKIM and SPF. I caught this watching for false postives in the spam box. Interesting nothing in my catch all or any other of my domains I use, not a random guess.
That server was hosting a Kryptik.Trojan payload. It’s setup to trick you to install an update of your web browser. It has now been flagged as a phishing site. The refer site seems to be having some connectivity issues...
01-25-2013 02:55 PM
In addition if Docusign was serious about catching or at least helping to shut the culprits invloved, they would be asking for the full headers of the phishing email. Anytime you forward an email via SMTP the original header are lost. That means forwarding the email does nothing but confirm another user got one of these and they can identify an IP hosting a file. The data of the sending IP is not being collected or how it was sent. These IP's could be posted to blocked list or turned over to authorites for futher evidence. Then again it's not Docusign's problem right?
How to identify and view mail headers in common mail providers.