Friday, January 25, 2013

DocuSign Phishing Emails Loaded with Data Stealing Trojan

DocuSign Professionals that use DocuSign should beware of an active phishing campaign looking to infect their computer with a data-stealing Trojan, warns antivirus firm Bitdefender.

The phishing email has been carefully crafted to appear as if it were a legitimate notice sent by DocuSign Electronic Signature Service on behalf of the administration department of the recipient’s company.

DocuSign Phishing Email
Screenshot Credit: Bitdefender

From: DocuSign Service (
Subject: To all Employees – Confidential Message

Your document has been completed

Sent on behalf of

All parties have completed the envelope ‘Please DocuSign this document: To All Employees 2013.pdf’.

To view or print the document download the attachment .

(self-extracting archive, Adobe PDF)

This document contains information confidential and proprietary to

LEARN MORE: New Features | Tips & Tricks | View Tutorials

DocuSign. The fastest way to get a signature.

If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process, you can email support.

Attached to the email is a zip file named “To ALL,” and it shouldn't be a surprise to anyone that inside the archive is a payload identified as Trojan.Generic.KD.834485.

Once it has infected a machine, Trojan.Generic.KD.834485 will get to work by stealing login credentials stored in email clients & web browsers, attempt to log into other network machines by guessing weak passwords using remote desktop protocol (RDP), possibly download and install additional malware (such as the infamous ZeuS/Zbot), and collect account information related to server names, port numbers, login IDs, FTP clients, and cloud storage programs.

DocuSign is aware of this email threat and has taken the courtesy of posting a warning on their website advising users that legitimate emails do not contain zip or executable files as attachments and to mouseover links to check for the or domains before following them.

Think You Received a DocuSign Phishing Email?

  • Do not download or open any attached files.

  • Hover your mouse over links to check for the legitimate or domains. (Note: This may not matter if a file is attached since real emails from DocuSign do not contain attachments.)

  • Report the email by forwarding it to

  • Delete the email immediately.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

No comments:

Post a Comment