{"id":10468,"date":"2022-03-01T00:36:50","date_gmt":"2022-03-01T00:36:50","guid":{"rendered":"https:\/\/nftsgary.com\/?p=562"},"modified":"2023-04-03T08:12:16","modified_gmt":"2023-04-03T08:12:16","slug":"fake-hmrc-via-a-spoofed-docusign-domain-you-have-received-a-secure-document-via-docusign-malspam-delivers-trickbot","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/fake-hmrc-via-a-spoofed-docusign-domain-you-have-received-a-secure-document-via-docusign-malspam-delivers-trickbot\/","title":{"rendered":"Fake HMRC Via A Spoofed Docusign Domain You Have Received A Secure Document Via DocuSign Malspam Delivers Trickbot"},"content":{"rendered":"
An email with the subject of You have received a secure document via DocuSign pretending to come from HMRC via Docusign but actually coming from a look alike domain <noreply@docusign.delivery> with a malicious word doc attachment is today\u2019s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan<\/p>\n
These emails look very similar to a genuine email from Docusign that any 3rd party organisation uses to deliver a document to you for digitally signing. The genuine ones always have a link to the genuine Docusign domain for the recipient to log in & sign the document. You only get a digitally signed copy that you download yourself after signing it. Docusign never send a word doc for you to sign .<\/p>\n
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.<\/p>\n
HMRC or Docusign has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
\nWhat has happened is that the criminals sending these have registered various domains that look like a genuine Docusign domain.<\/p>\n
Normally there are several newly registered domains that imitate Docusign or a government department or agency that can easily be confused with a legitimate organisation in some way to send these.<\/p>\n
The gangs are running out of \u201cnormal\u201d domains like com, org, net or co.uk for the spoofed companies and are now using the new top level domains like delivery.<\/p>\n
As usual they are registered via Godaddy as registrar and the emails are sent via Host Europe GmbH 85.93.88.122
\nThe email looks like:<\/p>\n
From:<\/strong> HMRC via DocuSign <noreply@docusign.delivery> You have received a secure document via DocuSign. Read your secure message by opening the attachment, 3A677DACCCE49928XM.doc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it. If you have concerns about the validity of this message, please contact the sender directly. For questions about DocuSign\u2019s e-mail encryption service, please contact technical support at 888.764.7941.<\/em> Do Not Share This Email<\/em> If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable..<\/em><\/p>\n This message was sent to you using the DocuSign Secure Electronic Encryption Service. If you would rather not receive email from this sender you may contact the sender with your request.<\/em><\/p><\/blockquote>\n
\nDate:<\/strong> Wed 12\/07\/2021 12:08
\nSubject:<\/strong> You have received a secure document via DocuSign
\nAttachment:<\/strong> SecureMessage.doc<\/p>\nBody Content<\/strong>:<\/h3>\n
\nSincerely,<\/em>
\nCharlotte Puddy<\/em><\/p>\n
\nThe information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax \u2013 except its direct delivery to the intended recipient \u2013 is strictly prohibited.<\/em><\/p>\nScreenshot:<\/strong>
\n
\nThe Word Doc Looks Like:
\n
\nEmail Headers:<\/strong><\/h3>\n