Update 5/15/2013
DocuSign is seeing malicious phishing email attacks as of this evening. In this round of malware spam email attacks, malicious third parties are including links to non-DocuSign sites which may include malicious code or redirect to non-DocuSign log-ins. These emails are not associated with DocuSign. They are coming from an unrelated, malicious third party attempting to copy our email style and language in the hopes of fooling recipients into opening the email and clicking on the links.
Examples of the emails we have seen this evening all have the subject line of, “Please DocuSign this document: Payment.pdf” and include links to non-DocuSign sites. Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net.
Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.
Please remember, DocuSign’s top priority is the privacy and security of our customers’ information, documents, and data.
Update 5/7/2013
DocuSign is seeing malicious phishing email attacks as of this evening. In this round of malware spam email attacks, malicious third parties are including links to non-DocuSign sites which may include malicious code or redirect to non-DocuSign log-ins. These emails are not associated with DocuSign. They are coming from an unrelated, malicious third party attempting to copy our email style and language in the hopes of fooling recipients into opening the email and clicking on the links.
Examples of the emails we have seen this evening all have the subject line of, “Please DocuSign this document: Payment.pdf” and include links to non-DocuSign sites. Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net.
Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.
Please remember, DocuSign’s top priority is the privacy and security of our customers’ information, documents, and data.
Update 4/9/2013
DocuSign became aware this morning of new malware phishing emails that are being sent as if coming from the DocuSign service. These emails are not coming from DocuSign. Please do not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign's email style and language in the hopes of fooling recipients into opening the email and downloading .zip attachments. While the DocuSign Global Network and our eSignature service remain safe and secure, we are proactively notifying customers and partners of the new phishing spam so that you can take appropriate measures to protect against spam.
Examples of the emails we have seen this morning all have the subject
line of, “Completed: Please DocuSign this document : Payroll 2013..pdf”
and have a .zip attachment titled Payroll.zip:
Fortunately, much of this most recent malware spam never made it to users' inboxes as DocuSign has both Sender Policy Framework (SPF) lookup functionality and DMARC enabled on our mail servers to flag and quarantine malicious spam. The combination of these technologies helps to protect from malware spam attacks. You can learn more about SPF at http://www.openspf.org/ and DMARC at http://www.dmarc.org/index.html.
DocuSign actively works with antivirus vendors to fight spam. These vendors are continually updating their software to identify, filter, and remove this and other spam and malware from users’ systems. Please be sure that your antivirus and email filtering software are enabled and up-to-date. If you or one of your users opened the malicious attachment, be sure to contact your antivirus software provider for details on next steps and remedies, and/or follow your company's procedures for such incidents.
As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net. Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. Additionally, DocuSign does not include .zip attachments in emails.
February 27, 2013 Update
DocuSign became aware this evening of new malware spam emails that are being sent as if coming from the DocuSign service. These emails are not coming from DocuSign. Please do not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign's email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. While the DocuSign Global Network and our eSignature service remain safe and secure, we are proactively notifying customers and partners of the new malware spam so that you can take appropriate measures to protect against spam. Fortunately, much of this most recent malware spam never made it to users' inboxes as DocuSign has both Sender Policy Framework (SPF) lookup functionality and DMARC enabled on our mail servers to flag and quarantine malicious spam. The combination of these technologies helps to protect from malware spam attacks. You can learn more about SPF at http://www.openspf.org/ and DMARC at http://www.dmarc.org/index.html.
DocuSign actively works with antivirus vendors to fight spam. These vendors are continually updating their software to identify, filter, and remove this and other spam and malware from users’ systems. Please be sure that your antivirus and email filtering software are enabled and up-to-date. If you or one of your users opened the malicious attachment, be sure to contact your antivirus software provider for details on next steps and remedies, and/or follow your company's procedures for such incidents.
As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net. Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. DocuSign does not include .zip attachments in emails.
If you believe you or your customers received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. More information on this and other malicious malware spam email attacks – including a screen shot of the spoof email – can be found on the DocuSign web site at http://www.docusign.com/spam.
February 8, 2013 Update
DocuSign became aware this morning of new malware spam emails that are being sent as if coming from the DocuSign service. These emails are not coming from DocuSign. Please do not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign's email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. While we have not received any reports from DocuSign users having received this spam and the DocuSign Global Network and our eSignature service remain safe and secure, we are proactively notifying customers and partners of the new malware spam so that you can take appropriate measures to protect against spam.
DocuSign has both Sender Policy Framework (SPF) lookup functionality and Domain-based Message Authentication, Reporting & Conformance (DMARC) enabled on our mail servers to flag and quarantine malicious spam. The combination of these technologies helps to protect from malware spam attacks. You can learn more about SPF at http://www.openspf.org/ and DMARC at http://www.dmarc.org/index.html.
DocuSign also actively works with antivirus vendors to fight spam. These vendors are continually updating their software to identify, filter, and remove this and other spam and malware from users’ systems. Please be sure that your antivirus and email filtering software are enabled and up-to-date.
As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net.
Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. Additionally, DocuSign does not include .zip attachments in emails.
If you believe you or your customers received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. If you or one of your users opened the malicious attachment, be sure to contact your antivirus software provider for details on next steps and remedies, and/or follow your company's procedures for such incidents.
------------January 29, 2013 Update - Protecting Against Malware Spam Attacks
DocuSign's top priority is the privacy and security of your information, documents, and data. The Internet is a critical component to your business and to conducting business on the DocuSign Global Network. Those committing fraud seek to take advantage of trusted relationships for illegal purposes. While there is no foolproof way to prevent the unauthorized use of the DocuSign name and brand, we continuously monitor for such activity to make your DocuSigning experience safe and secure.
DocuSign strives to be a great partner and fight malware spam attacks and the malicious third parties behind malware spam. In the event that you have been impacted by malware spam email, we recommend contacting a security vendor like McAfee, Microsoft/Forefront, Symantec or others to help with any needed security support and system clean up.
You can help to combat online fraud and protect your information, documents, and data by taking the following precautions:
Enable Sender Policy Framework DocuSign highly recommends that email administrators configure their email servers to utilize SPF (Sender Policy Framework) lookup functionality. Mail servers that utilize SPF lookup functionality will contribute to flagging and quarantining malicious spam. DocuSign leverages a best practice called DMARC which works with SPF to instruct recipient email servers how to treat malicious spam. The combination of these technologies dramatically helps to protect from malicious spam email. You can learn more about SPF at http://www.openspf.org/ and DMARC at http://www.dmarc.org/index.html.
Filter email attachments Quarantine any emails from the Internet with potentially harmful attachments such as .zip and .exe file types.
Workstation security Install anti-virus software and ensure it is enabled and kept up-to-date, and be sure to apply vendor recommended security patches on a frequent basis.
Education Provide regular training to end users to identify fraudulent email and phishing schemes.
Please contact your systems security team and email administrator to encourage them to take advantage of these precautionary steps to help protect your information, documents and data.
--------------------January 29, 2013 Update
DocuSign became aware this morning of new malware spam emails being sent as if it was coming from the DocuSign service. An example follows immediately below. These emails are not coming from DocuSign and you should not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign’s email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. While the DocuSign Global Network and our eSignature service remain safe and secure, we are proactively notifying customers of the new malware spam so that you can take appropriate measures to protect against spam.
Within this latest round of malware spam email attacks, the links included within the emails ARE NOT safe, secure links to the DocuSign service. As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com, https://www.docusign.net, https://na2.docusign.net or https://eu1.docusign.net.
Any other links within emails made to look like DocuSign system emails are insecure and unsafe. DO NOT CLICK these links. Examples of insecure and unsafe links that we have seen in malware spam emails to date include (but are not limited to):
http://www.lichtblick-optik.de
http://www.xeniastudio.hu/abridged/index.html
http://kozmetikapecel.hu/boxed/index.html
http://www.crofthandyreflexology.co.uk/klansman/index.html
http://kesharie.eu/treatable/index.html
http://superpowerfruits.com/fiddles/index.html
http://unterwegsinfrankreich.medianewsonline.com/sulkiest/index.html
If you believe you received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. More information on this and other malicious malware spam email attacks – including a screen shot of the spoof email – can be found on the DocuSign web site at https://www.docusign.com/spam.
Get helpful tips on protecting yourself from malware spam email from a recent blog post, "Protect Yourself From Online Fraud and Scams in the New Year", by DocuSign's Chief Security Officer.
January 24, 2013 Update
At 8:40AM PST this morning, 1/24/2013, DocuSign became aware of new malware spam emails being sent as if it was coming from the DocuSign service. An example follows immediately below. These emails are not coming from DocuSign and you should not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign’s email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. Within this latest round of malware spam email attacks, the links included within the emails ARE NOT safe, secure links to the DocuSign service. As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net.
Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. DO NOT CLICK these links. Examples of unsecure and unsafe links that we have seen in malware spam emails to date include (but are not limited to):
http://www.lichtblick-optik.de
http://www.xeniastudio.hu/abridged/index.html
http://kozmetikapecel.hu/boxed/index.html
http://www.crofthandyreflexology.co.uk/klansman/index.html
http://kesharie.eu/treatable/index.html
http://superpowerfruits.com/fiddles/index.html
http://unterwegsinfrankreich.medianewsonline.com/sulkiest/index.html
If you believe you received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. More information on this and other malicious malware spam email attacks – including a screen shot of the spoof email – can be found on the DocuSign web site at https://www.docusign.com/spam .
Get helpful tips on protecting yourself from malware spam email from a recent blog post, "Protect Yourself From Online Fraud and Scams in the New Year", by DocuSign's Chief Security Officer at https://www.docusign.com/node/3952.
January 3, 2013 Update
Malicious third parties are continuing to attempt to spoof a variety of companies, including DocuSign, via spam email. Antivirus vendors report malicious code incidents have been increasing by as much as 3600% per week in recent weeks. While the majority of spam emails are being sent to email accounts with no association to DocuSign or the DocuSign service, some have also been received by DocuSign users. The latest spam emails contain a zip file with an executable containing malicious code that installs malware on the recipient’s computer if opened. These spam emails are not coming from DocuSign and are not related to the DocuSign service. DO NOT OPEN THE ATTACHMENT.
DocuSign actively works with antivirus vendors including Symantec, McAfee, Microsoft Forefront, and Strasburg, to fight spam. Antivirus vendors are continually updating their software to identify, filter, and remove this and other spam and malware from users’ systems. Please be sure that your antivirus and email filtering software are enabled and up-to-date to protect your systems and personal information. If you opened the malicious attachment, be sure to contact your antivirus software provider for details on next steps and remedies, and/or follow your company’s procedures for such incidents.
DocuSign continues to aggressively investigate this incident and is working with law enforcement agencies to take further action. We have received questions from customers asking how a third party obtained their email addresses. Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then “phishing” for personal information via phone calls, spam emails, or fake web sites that contain malicious viruses designed to capture email directories, contacts, and other personal data.
DocuSign’s top priority is the privacy and security of our customers’ information, documents, and data. DocuSign does not sell user information to any third party. For more information, please review DocuSign’s TRUSTe certified privacy policy at http://www.docusign.com/company/privacy-policy.
Please find below the immediate steps that you should take if you think you received malware spam email. Further below please find recommendations regarding steps that IT departments may wish to take to further protect against malware spam.
Immediate steps to take if you think you received malware spam email:
- DO NOT OPEN any zip files or executable attachments
- DocuSign-generated emails don’t contain zip files or executables as attachments
- Contact the sender to confirm the authenticity of the signature request if you don’t recognize the sender of a DocuSign envelope
- FORWARD the email to spam@docusign.com to help with our forensic efforts
- Immediately DELETE the malicious email
- Ensure your anti-virus software is up to date and enabled
Steps IT departments may wish to take to further protect against malware spam:
- Enable Sender Policy Framework (SPF) record checking: SPF is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. (http://en.wikipedia.org/wiki/Sender_Policy_Framework).
- Filter email attachments: Quarantine any emails from the Internet with potentially harmful attachment file types such as zip and executable file types. The only attachments DocuSign will send are PDFs.
- Workstation Security: Install anti-virus software and ensure it is enabled and kept up-to-date. Apply vendor recommended security patches on a frequent basis.
- Education: Provide regular training to end-users to identify fraudulent email and phishing schemes.
More information will be posted here as it becomes available.
