This is the exact reason I started building Breach Canary[0], so that businesses can be alerted as soon as their user data is used in a way they wouldn't expect it to be. We produce authentic users with real working email addresses and phone numbers, so that as soon as they are contacted, you know someone has a copy of your userbase and is using it for reason x.
We have already started seeing a tonne of DocuSign phishing emails as others have mentioned. They were already a popular target for phishing users but now with very realistic documents the users are expecting? Nightmare.
Sounds like "Have I Been Pwned?"[0] which I have been using to identify which addresses were hacked/sold. Together with a unique email address per site registration, which all get captured by a catch-all on my domains, I have some information on which addresses are compromised.
To do something similar as an individual, I highly recommend 33mail.com [1], which provides a generous free tier, and lets you supply arbitrary <companyname@yourdomain.33mail.com>. As well as knowing where a leak originated, you can easily block any inbound email address if it is being abused.
Not affiliated, just a happy long-time paying customer.
That isn't strictly affiliate tracking, but yes, if you're uncomfortable with 33mail.com knowing you came from HN, don't click ATsch's link, but copy and paste it instead.
I do the same without using 33mail.
I have my mail hosted on zoho mail which gives me infinite aliases that get redirected to my main address and in case I ever need to forward a mail from an alias I can create a new address with that alias, use it and then delete it.
So when I register to a new site I usually input <sitename>@mydomain.com and then if I want I can create a filter to sort them automatically
What do you do after you catch them?
Is there any place to report them, maybe depending on which country they are based, or you simply stop doing business with them?
Same. Particularly interesting when you start getting spam to massiveCreditReportingCo@mydomain.com, or who sends mail to boughtaNewCar@mydomain.com after giving that address at the car dealership.
It is coming from the canary birds in the coal mines or in submarines[0]. They have a higher sensibility to CO than humans. This is now part of the common language to say that you sacrifice an animal or "something" to get early warning of something possibly more dangerous.
It is artificial users when their data is used it means your privacy has been breached. In a way a canary is not just a sacrifice but a transparent sacrifice.
Apologies, you're right, it's not really covered as it's a bit of a niche industry term. It relates back to the days of coal mines, and the birds being used as an early warning system - https://en.m.wiktionary.org/wiki/canary_in_a_coal_mine
I wouldn't call it a niche term, maybe in the context of calling something a canary, but the term canary in a coal mine is a common idiomatic expression in American English, at least in the mid-west.
Canaries were used in mines to signal pockets of unbreathable gas; they would die before the humans giving them an opportunity to escape.
Canary has developed into a standard term for warnings which are detecting the danger allowing mitigation as opposed to predicting the danger which would allow avoidance.
It's a reference to the canaries that were used in coal mines to detect carbon monoxide. Since then 'canary' has been used to refer to early warning systems.
Thank you, I'll fix that now :) Serves me right for rushing out a landing page, after reading all the "you should start marketing yesterday" comments on startups!
I'm not sure DocuSign has a full handle on what happened here yet. I received six (6) DocuSign emails, half of which used a convincing subject derived from actual DocuSign documents I have signed or processed through the system. Perhaps a coincidence? Or these hackers gained access to more than just "email addresses".
The postmortem states that the phishing campaign used only a few patterns.
"Delete any emails with the subject line, “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”. These emails are not from DocuSign. They were sent by a malicious third party and contain a link to malware spam."
Now you've just given me new, horrifying, nightmares of the future.
----
Feature Request: Your software does not make it easy to buy drugs, money, or sex as buydrugsmoneyandsex-dot-com does. Please implement buydrugsmoneyandsex-dot-com functionality by directing users to that website through our affiliate link program: http://preview.tinyurl.com/2tx
At my work we too have received dozens of phishing emails purportedly from DocuSign. Most are getting caught but a few are making it to people's inbox. Which is terrible because a lot of my coworkers use DocuSign and think nothing of clicking on a link in one of these rather convincing emails.
As a real estate agent DocuSign is used immensely. Not just by agents, but the documents are sent to customers and clients who are probably more susceptible to these types of scams. Sigh.
I am skeptical as well. I feel like the standard procedure these days is for a company to acknowledge that their security has been compromised but that the breach was limited to only non-sensitive data.
I'm not an expert but once you are breached I feel it's very difficult to be sure what was or was not accessed. Maybe if the system breached was air-gapped or completely third-party (e.g. a mail list provider) you can safely say "no personal information" was accessed but as a user, my trust in DocuSign is now lower no matter what they say.
In my opinion they're doing well taking responsibility like this and communicating honestly and openly. You can always disagree on how far the openness should go, but I've seen far less openness and far less communication (as in approaching zero), so they deserve some credit doing it this way.
I strictly started handing out "companyname@mypersonaldomain.tld" as email when interacting with companies. That at least makes routing the inevitable spam to the trash bin slightly easier when a breach occurs. It also provides an indicator of who has (in)voluntarily given away my data.
I've been doing this for awhile. It's especially interesting when giving it to a representative in person, some people will refuse to enter it in their systems. I've also had one webform reject it outright. Lately I've started just using random words to get around this awkwardness and make my pattern less predictable. When I get the first email from that company (often happens within minutes) I just give it the actual company's name as an alias in my client.
AliExpress does this, they don't accept "aliexpress@foo.bar". I suppose it's meant to stop you from providing "foo@aliexpress.com", implemented lazily by rejecting anything that contains the substring "aliexpress".
Best response I've received when giving an email address of the form "company@mydoma.in" to a representative in person was "oh you work here too?". The concept of catch-all domains is so foreign to most laypeople that it takes quite some explaining ("I get everything that's sent to any address at that domain", "no it's not expensive at all", "it helps me automatically sort my email").
I've heard that being a problem, though I've never had that issue using a sub-domain for the catchall (company@sub.domain.tld).
Some sites refuse to accept email addresses with more than one "." after the "@" but figure if they don't understand email addresses I don't want to trust them with my details (even throw-away ones) anyway so go elsewhere.
Gmail allows you to do extension addresses like "myname+company@gmail.com", which I've used since switching away from my own mail server where I did the catch-all. Some places are rejecting "+" in the address though. I was trying to give on to Dell and the tech I was talking to told me the system wouldn't accept the address, but that the "+dell" was just an extension "so can I put it in without that?"
The combination of them knowing that this was valid and just wanting to strip off the extension kinda blew my mind for some reason.
I can confirm exactly this. I started with a root catchall on my personal .com (~15 years ago), and it was quickly overwhelmed with dictionary spam. Switched to a subdomain catchall, and haven't seen a dictionary run since.
Picking a short preposition for the subdomain can even help when you have to communicate the email to a clueless phone rep: "That's right, it's yourcompany@for.myname.com"
Lots of sites also strip the "sub." part from the domain. I have no idea why they think this is a good idea, but a friend of mine does this and he's got at least ten companies in his main domain's alias table because they silently stripped the "sub." part.
The way I get around that is by having a static keyword that must also appear on the user side of the email address.
So, if I'm dealing with Walmart, I would give them:
[keyword].walmart@example.com
or
walmart.[keyword]@example.com
Then I configure my catch-all settings to reject any email addresses that don't have that keyword.
Of course, the keyword is not secret, so it's possible for someone to infer what I'm doing and construct an email address that passes my spam check, but in practice, nobody goes through the trouble, because I'm not a big enough target.
I use my domain with FastMail, they support aliases and catch-all and lots of other nice things on custom domains. They also do DKIM, SPF, etc. So you don't have to run your own mail server if you don't want to ;)
Sounds vaguely like the way email addresses work in Ender's Game - typically, all mail would go to user%SECRET@server, and if you don't know SECRET, the email presumably bounces.
This was a while back, and I'm guessing that now there are enough gigantic lists of verified emails that the technique lost it's minimal rate of return.
>>> I suppose it's meant to stop you from providing "foo@aliexpress.com", implemented lazily by rejecting anything that contains the substring "aliexpress".
Most likely it is to stop you from making an address with "aliexpress" in it, so you don't look like affiliated to aliexpress in any way (think: phishing).
I've done similar with a catch-all sub-domain for years. It does mean that my mail server sees a lot of junk activity as some email lists out there have many addresses in that sub-domain on them, but at least they are easy to filter out.
Some sites refuse to accept email addresses with more than one "." after the "@" but I figure if they don't understand email addresses I don't want to be trusting them with my details, even throw-away ones, anyway!
Unfortunately I was added to docusign by someone else who gave them my main address...
Yeah, I should stop being lazy and host a personal domain again. It just is such a bad situation these days. Either you:
1. Pay a reasonable rate for a full time server in services that are just truly awful, have no redundancy options, and are associated with a lot of unsavory activity or...
2. You pay a totally unreasonable rate to host it in a more reputable cloud service.
3. You run it out of your home or office and deal with your locale's interent. In my case (California Bay Area) it's bad.
I do the same thing as Xylakant, but my email all goes through gmail (which has its own problems and caveats, but has the advantage of being free beyond the domain name registration.)
I do the same with Gmail, just add + at the end (As in username+docusign@gmail.com). Of course this has the drawback of some sites being to restrictive with their checks for valid emails and not allowing the + character
Yep, it's not foolproof but it's better than nothing. And considering that the number of people using it aren't that many (I guess) spammers wouldn't bother
I do that too, so far Adobe, Dropbox and LinkedIn are my only real sources for spam (due each of these being hacked). And oddly the occasional spam to an alias I used for the crypto-discuss mailing list.
One additional twist, I keep my site-spesific aliases on a short sub-domain (for now service-or-tld@s.mytld.com) - if I feel the need in the future I can burn down the whole sub-domain, exchanging s.mytld.com for eg: m.mytld.com.
a co-worker got a trademark infringement notice when he used companyname@hisdomain.tld to interact with a particularly litigious software company. They assumed he was a reseller and was representing himself to others using the same email address.
>How does clicking a link from an email prove identity?
Most of these document signing services, as you point out, don't prove identity. They provide a more convenient simulation of the "download, physically sign, scan and return, a pdf document" process. Which doesn't prove identity either.
Personally, I appreciate the shift. It's just as silly, but less cumbersome.
Looks like it took them about six days to figure out why their customers were getting spammed. It'd be helpful if they could outline what the "non-core system that allows us to communicate service-related announcements to users via email" actually was. Was this a Mailchimp account that got hacked into or did they have something they managed?
Emails and email addresses are very different in the context of DocuSign. The former includes the text of contracts. The latter is just a list of people who have ever given or received a job offer.
Someone asked me to pay a bill using docusign and entering my credit card information into one of those free text boxes They couldn't understand why I refused to do it.
It doesn't really spell out, though, how they differentiate CC info and avoid storing it with the rest of the data in the pdf form. There's just some hand wavy language about "Bank-grade Security". I suspect this means they store the CC data, which would be significantly different from how must online merchants operate.
As someone who has worked on a similar product, I would imagine they only store a token given to them by their payment gateway. The actual CC information is held by the PCI compliant payment gateway, while Docusign can use the token to charge a card without storing compromising information.
Would be good if that were spelled out though. From the outside, you click a link and see a pre-filled PDF, as both the end user and the person that sent the form. There's no obvious magic that it's auto-detecting cc like data and storing it differently than the other fields in the pdf.
With credit cards, you personally do not have much to worry about, since your card issuer holds the ultimate liability for any fraud that occurs. Just be careful to use a credit card (attached to a reversible ledger) and not a debit card (attached to a less-reversible cash account).
This is not an accurate description of the difference between credit cards and offline debit cards with regard to disputed transactions.
In both cases, fraud disputes are handled in the same way. Either the issuer or the account holder suspects fraudulent transactions and the bank engages an investigation in order to determine veracity of the claim.
Where things differ is that the onus of proof for credit card accounts is on the merchant to prove the transaction is legit. When an offline debit card is used, the funds are deducted from the account when the merchant captures funds and, therefore, the onus of proof lies with the card holder to prove it is fraudulent.
Liability, in this context, is non sequitur as fraud claims exist in either scenario and one party or the other must provide proof to support their position. The other, by definition, is responsible for said funds.
I'm not really sure what you mean regarding "a reversible ledger", as this has nothing to do with credit card transactions.
It's not really that simple either. For the US, there are different paths for liability limits, reporting periods, etc, for the different combinations of credit vs debit and card-present vs card-not-present and Visa vs Mastercard. The rules are a mix of various consumer laws like "Truth in Lending" as well as Visa and MasterCard policy. There are areas where Visa and MC differ in policy.
Your note about "onus on proof lies with the cardholder" is less true for Visa, for example.
Are you sure? I don't know how credit card companies in the US behave, but here in the Netherlands I called up mastercard to ask them whether I am liable for any fraud that occurs if I do something like this (or send credit card info over email, like so many hotels want). The credit card company tells me, yes I am liable for any fraud that occurs, because email and unecrypted text boxes on websites are known to be insecure, and so it can be argued that it's my own fault if credit card fraud occurs.
In AUS it's much like chatmasta says: if its a CC linked a true "credit" account the issuer has the value entirely underwritten. If you can reasonably prove that someone stole it for example, then you'll get your money [credit] back.
If it's linked to a savings account and it's a Visa/MC debit card, for example, then it's a different story. The funds are not insured and so if you loose it it's on you.
Even if the credit card company decides to hold you liable, you're still better off, because they have to follow court procedures and get a judgment against you before they can actually take your money.
With a debit card, the money is just gone and the burden is generally on you to find some way of recovering it from whoever stole it.
This incorrectly assumes it's much more valuable to only spam people with access to a service than just a list of people, and I doubt that holds in practice
Read the comment again. It's about phishing specifically. Not generic spam. And it absolutely holds in practise that interaction rates go up for phishing messages when the user has a legitimate account with the service being impersonated.
I fail to see how slightly wider dissemination of a bit of info I post publicly on my profile at this very web site constitutes a privacy or security risk to me.
Emails from DocuSign do not contain the text of the contract. They contain a link to the contract and its text. I've signed a bunch of contracts via DocuSign and that's the consistent pattern I've observed.
> Ensure your anti-virus software is enabled and up to date
Uh, really, endorsing antivirus? They could at least have written something like "Ensure your system is properly secured" if they felt they need to stress that out.
Well, atleast now they are THINKING about how they might do that rather relying on the mystical protection spell of antivirus which usually reduces the security posture of the machine.
Is it just me that feels this way, or should they not also apologize for the leak (which appears to have been from one of their systems)? I didn't see an actual apology.
It amazes me that Facebook allows you to get pgp encrypted emails delivered from them[1], but docusign, a company whose only job is secure document signing via secret links in an email, does not.
Been receiving fishing mails for this myself and I highly doubt this has just been about email addresses, as the mail subjects contained titles of signed documents.
Since there are now many occurrences of data breaches out there. I cannot stress enough the importance of a password manager and diversify-ing your passwords.
This one I learned from Troy Hunt and never looked back.
I did get an email from them which looked actually legit and opened it. It redirected me to a 404.
Is there a chance I could've been compromised in any way?
I'm guessing they couldn't have gotten much more than my IP address, maybe some cookies, all my passwords, private life?
It's good to see major security issues featured on HN. As a consumer, I typically react by resetting credentials, checking configurations etc. I'm not involved in the IT security field so HN serves is one of the early warning systems for me.
I would like to urge the Google team to solve one aspect of this problem, forever.
It takes no more than 20 minutes to prototype and then approximately 1 day to fully test the final solution that is necessary on their end to keep compromised emails from being fully compromised addresses forever, without any chance for you to ever know at any point in the future where mail REALLY comes from. Here is a description:
1 - Currently they (Google) correctly do 99% by allowing you to type a + after your email address to create a new inbox that is marked in a special way. For example if your address is jsmith747@gmail.com then you can give the company jsmith747+docusign@gmail.com when you sign up - that inbox goes to you and when you start receicing spam in the future to "jsmith747+docusign" you can tell how they got it. The phishing mails associated with this breach would have gone to the same place.
2. The one and only problem with this, which currently has a "security through obscurity" solution, is that anyone can run a regex and remove +docusign to get at the primary, main inbox: jsmith747@gmail.com
3. The full and complete solution is to allow me to create a new inbox in Gmail through a single step, for example "j45rsdfjdocusign" which is linked to jsmith747 in a single direction. Sending mail is not necessary. This must be enabled through the Gmail interface for signed-in users who wish to create a new inbox. They must be able to generate an inbox there, which thereafter goes to the inbox.
4. Spammers have no way to programmatically get the original underlying address when going through a list. When they get to j45rsdfjdocusign there is no regex they can apply to get the original.
5. If in the future j45rsdfjdocusign starts getting spammed, etc, you can add a filter.
There's no special authentication around it, anyone signed into their inbox should be able to do do it. They already have the infrastructure up for it around their + coding shceme.
To emphasize how important it is, here is a comment from this thread:
>The phishing emails had the color scheme changed, making them very phony and easy to classify.
Today. Under the current status quo, if in 48 months a much more legitimate-looking mail is sent to any of the same addresses, none of the recipients have any way to know the source of those addresses.
However, after solving this security issue, in 48 months anyone receiving even a very convincing phishing email could know instantly "oh, that is that compromised docusign account" -- that is, if they haven't taken a moment to redirect that inbox to the trash already via a filter.
I urge Google, who has very talented engineers, to implement the correct solution today. Don't wait. You won't get a better example of how important this is, than what's been going on. There are no policy implications as you already do it via the + trick.
I hope you go the extra mile and add a small step to finish solving the problem. Thank you.
> The full and complete solution is to allow me to create a new inbox in Gmail through a single step, for example "j45rsdfjdocusign" which is linked to jsmith747 in a single direction.
When hosting your own email on your own domain you get this benefit out of the box now, without waiting for google to add it for you.
I've been doing this for years, each different company gets a unique email address. Real easy to see who has lost track of their email database, and very easy to turn off those that turn spammy as their business declines and they get ever more desperate to generate sales from their existing "customer list"
I realize that this took you 0 minutes to set up, but Google has 20,832 employees in Research and Development (2016 figure[1]), many, if not most, with PhD's. What might be obvious or intuitive for you and me might require them to have a team examine, do an internal publication with peer review, etc. I would prefer them to set this up but understand it takes a bit of time. Still, I think they should fast-track and get it it up. For amateurs, it's a 0-minute solution. I am sure they can do it quickly and professionally. Security by obscurity really isn't enough - someone there needs to do it. Cases like what we're reading about here show the importance of this. They're already done the bulk of the work.
That solves this one issue, but now you're fully responsible for your email server's security. While this may be a feature for some, for the general (developer) public, it's a bug.
Many cheap hosting services offer catch-all email option for your domains, and my own experiences using various services says it's generally included in the price i.e. "free".
There are indeed policy implications. Each such alias reduces the available namespace, where +-aliases do not. If I had to guess why Google doesn't implement this feature, I'd guess that's the reason - their namespace is already hotly contested enough.
(Of course, you can do this, quite easily, if you run your own mail domain. You need not administer an MTA - I gather you can wire up a domain you own to Google Apps or G Suite or whatever they're calling it this week.)
All right, I'll grant you that, though it's minimal: since anyone can create any number of gmail addresses already, there is a minimal policy difference.
If this is a concern then Google can generate an immutable part of it (with high entropy), for example I said "j45rsdfjdocusign " of which "j45rsdfj" may be generated and the user may rewrite only the end of it.
The reason it's good for the user to be able to write at least part of it is so they can include the tag and not have to add it as a separate step. Otherwise, it is hard to remember where tags go.
An alternative is that during the generation the user could supply their comment which is visible only to them. (So that under this scenario j45rsdfj is generated, and you comment it with "docusign" during generation. Then if j45rsdfj receives email it is tagged with "docusign" (the comment you added during generation).
There are no other policy implications. (Though I say that with a bit more hesitation, since you did point out one minimal effect.)
By the way this has an additional benefit. Most user-chosen names don't have enough entropy. If I sent an email right now to johnsmith433 there is a 100% chance that it has already been registered by someone. Today, spammers can guess email addresses. (This is a theoretical problem only.)
If Gmail generated high entropy as part of this feature, then this would further reduce this (theoretical only) avenue for spam. I don't think this is an actual problem though - I've never heard this being described as an issue.
There is one thing you are forgetting, and that is working with data at scale. That is not to say it is not solvable, but it requires more thought than just shitting it out in an afternoon.
Gmail as the receiving MTA will want to accept or reject a given email recipient. To do this they need to look up the information. They likely have a fancy distributed way of doing this now. If each user now exploded out to N aliases, you are likely adding a new network hop and loads more memory storage before the MTA can accept/reject. When you are processing many billions of email (lookups), this is a significant change.
Again, it is solvable if they wanted to do it. But it is nontrivial. Add onto this the need for the product team prioritize the work, other work to be de-prioritized, planning, testing, etc.
You might have missed that Google already does this. They literally already do this with the + markers. Literally all that is necessary is for the user to be allowed to add an entry saying kasdlfj33sdfsketchy = johnsmith23+sketchy so that the user can give out "kasdlfj33sdfsketchy@gmail.com" rather than "johnsmith23+sketchy@gmail.com" as the user can do today.
Nothing that you have stated is difficult or a choice, because johnsmith23+sketchy is live today. If you have a gmail account, you can give out your accountname + marker to anyone you want, so that later you can start filtering it.
This is security by obscurity, since this can be removed by a regex. I would like them to fix this.
As for your other point, where you call the extra data "nontrivial", I am afraid you are wrong, it is almost the definition of trivial. If you have a gmail account, go to it and type a name or any word into the search field. You will instantly receive search results from the entire history of your email archives.
That is because your email archives are fully indexed for fast searching. This takes a not-insignificant amount of space.
Adding a few bytes of aliases is absolutely trivial compared to the amount of storage and lookup that Gmail does on your behalf. It's almost the definition of trivial.
>The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software.
I love how nothing changed about this malware payload delivery in about 2 decades.
We have already started seeing a tonne of DocuSign phishing emails as others have mentioned. They were already a popular target for phishing users but now with very realistic documents the users are expecting? Nightmare.
[0] https://BreachCanary.com