Thursday, January 26, 2023

DocuSign sends sensitive info in plain text

Yes, you read the title correctly. DocuSign indeed sends everything including sensitive information to you after you complete "docusigning" something.

Have you ever used the DocuSign service for signing any documents? I am sure many of you are familiar with DocuSign because it is used very widely everywhere for document signing online. If you think you haven't used it, think again, you may have used it and not know about it. Typically, a lot of information you enter when you sign any legal document like your loan application, lease contract, loan, even job acceptance these days goes via DocuSign. When both parties completed the signing process, DocuSign will send you a mail with a copy of the fully signed/executed document (PDF file) once. The PDF file may likely contain your SSN, DOB, address, phone number, account number and many other sensitive information you may have entered during the signing process. Guess what, all of these are in "plain" form and sitting in your email (gmail, yahoo etc). If you don't believe me, search your email from docusign.net and open the attachment they sent you. You would not believe what you see.

If you use gmail (who doesn't?) here is a easy search filter to quickly show all mails from docusign containing PDF files. 

"from:(docusign.net|docusign.com) has:attachment filename:pdf"

The screenshot below will help if you don't know how to search for e-mail messages with filter. 



How to spot phishing attempt - an anatomy of a phishing Email

Note: This is an old post from 2014 at blog.selvans.net. It is moved to this site as part of migration. Though it is more than 8 years old, it is still valid and relevant.

If you consider yourself as someone who knows how to spot spam and phishing emails, you won't learn anything new here. Others who want to learn how to spot spam or phishing mails, especially if you are someone who simply can't resist clicking on links in your email no matter how many times you were told not to :)  read on …

Like most of you, every now and then I do get a phishing mail delivered to my inbox. Gmail usually does a pretty good job of filtering spam and phishing mails, however, this particular one shown here slipped through gmail spam filter because of my own filter (a discussion on why it slipped is outside the scope of this blog). Anyway, here is a screenshot of the phishing mail we will be dissecting in this blog. Apparently, citibank all of a sudden lost everything they know about me except my email address :). You can stop right here since it is clearly a phishing attempt, but for the purpose of this exercise, lets continue. At a glance, for a novice email user, it looks legitimate and it does appear to have come from citibank.com, and is instructing me to download the attachment called Citibank.html. It must be important since it is from citibank alert service and I should immediately download the file and double click it right? The first thing you need to understand is that the 'mail from' (i.e. in this case alerts@citibank.com) is the easiest thing to fake. To find out where it really came from you need to see the full email headers from the “show original” option. [Note: The screen shot below is from gmail but as far as I know all mail clients like yahoo, hotmail, outlook etc allow you to view the 'raw' content of the mail which will show all mail headers].



When you select the 'show original' as shown above, you can get the 'raw' mail content including all the mail headers (see annotated screenshot below).



From the above screenshot, you can clearly see google's mail server received this mail from decisiontreetech.com not from citibank.com (highlighted in yellow). Does this mean the decisiontreetech.com is the phishing source? The answer is No. In this case, it looks like someone from that company seem to be infected with a malware allowing a remote hacker to hijack their email account session to send phishing mail via that company's mail server. If you look further down you can see a remote host from France with a IP address 62.244.93.88 initiated this message. For many of you, unless you are in cyber crime division of law enforcement, at this point, it doesn't matter who the criminal is (we will discover shortly below), you know this is fake and you should simply delete this mail and go on with your life. You can continue to read if you are interested in dissecting this mail further ...

Now, we are going to examine the attachment the crook wants you to download so he can collect your information. Typically, you can view the raw mail safely with your browser to see what the attachment contains to make sense out of it as long as its not binary. In this case it is supposed to be a HTML file. However, the crook encoded the content of the HTML text to base64 encoding so it is not easy to view what he is trying to do and where he intend to send your information (see the screen shot below).


I can just download the file to let the browser decode the base64 encoded HTML for me or just simply copy the content and decode it myself. The following screen shot is a relevant part of the HTML file decoded using an online decode tool from www.base64decode.org



Finally, you can see they are posting your information to a webserver at 69.73.182.242 to eventually mail everything to two email address i.e. sammy78@iname.com and effeferegregregre@yahoo.com There you have it.

PS: As of this writing the above server is still up and running although the post action is no longer working.

Hope this blog helped you to learn how to easily spot phishing mails and protect your hard earned money. Bottom-line is, if you get a mail asking for stuff your financial institution should already know, its a fake, delete it.


How to protect your Facebook account with encrypted notifications

Note: This is an old post from 2015 at blog.selvans.net. It is moved to this site with updated screenshot and content. Though it is more than 7 years old, it is still valid & Facebook still supports this feature.

As part of the Facebook account security feature, Facebook sends various notification e-mails. All these notification e-mail messages are in plain text. For notification e-mails like "Login Alert", it is not a big problem if the mail content is plain text as it does not contain anything important. However, in the case of password reset request e-mail, it is a problem since the reset code is sent in plain text. If your e-mail account is compromised, for example by a session hijacking method, the hacker has access to your e-mail account until the session expires so they can request Facebook password reset and easily take over your Facebook account.

Note: How your account got session hijacked is outside the scope of this blog but typically, it can happen when clicking on phishing e-mails or visiting infected websites etc.

From Jun 2015, Facebook introduced an option for users to request all notification e-mails in encrypted form. If you are already using or familiar with PGP, you can now provide your public key to Facebook so it will use it to encrypt all e-mail communications to you. Go to your Facebook profile and navigate your way to the "Security and login" section or click here https://www.facebook.com/settings?tab=security

See the screenshot below where I entered my public key.



Once you enter your public key (make sure to check the box to enable encrypted notifications) and save changes, you will get an encrypted mail from Facebook. You then decrypt the mail using your PGP tool and confirm using the link Facebook sends you. After this, all e-mails from Facebook will be encrypted using your public key so only you can decrypt it. In addition, you should to add Facebook's public key to your PGP keyring so you can verify the signature of the encrypted e-mail to ensure it is from Facebook. The key is at link below.


See this whole process in action. I get numerous attempts by cyber criminals monthly, weekly and even daily sometimes to reset my facebook password. The following is an example of an attempt. For every attempt, facebook will send me an e-mail (shown in the screenshot below) with encrypted content containing the reset code which is useless to anyone but me.



Below is the screen shot after I decrypted the content using my private key. 


So even if my e-mail account was compromised (highly unlikely 😀), the hacker can't read the code sent by Facebook to reset my password since he can't decrypt the mail without my private keys. For PGP encryption/decryption, I use GNUpg (https://gnupg.org/download/). However, there are other tools and browser plug-ins readily available which you can easily install in your browser (chrome or firefox) to use PGP.

If you are new to PGP, the read the link below for a quick introduction before getting started on using Facebook encrypted e-mails.

https://www.makeuseof.com/tag/pgp-me-pretty-good-privacy-explained/

How to access your passwords anywhere

Note: This is an old post from 2014 at blog.selvans.net moved to this blog site.

Have you ever forgotten the password to login to one of your many online accounts? It happens to me all the time so I save all my passwords to a file, encrypt it, and have a shell script to decrypt, search and spit the plain password whenever I don't remember the password. This is great when I am at home where I have access to my script and my encrypted password file. However, if I don't remember a password to a site when I am not at home, it is a problem. So I exposed a simple public interface on my webserver to securely decrypt my passwords online from anywhere. Feel free to use this tool to encrypt/decrypt anything (passwords, email, or just any text) and share a per message passphrase to other person to decrypt the message to its original content. Don't worry no one will be able to read unless you give them your passphrase. You can save the encrypted content (see a sample below) anywhere like google docs, dropbox, skydrive, or usb stick etc so you can easily access it anywhere. Feel free to use the tool (it is at the link below). There are many password manager tools like lastpass, keepass etc available freely that does similar things but the only difference is, here you control how you safeguard your encrypted file and in addition, you have simple web access to encrypt/decrypt any arbitrary text.



It is perfectly safe to store the encrypted message anywhere in your laptop/desktop as it will be encrypted with strong AES-256 cipher. Whenever you need to see the message content, all you need to remember is the passphrase you used to encrypt it. To get an idea, decrypt the sample content below using the passphrase 'th1s 1s coo1' without the quotes if you are interested to see how it works.

b97ca8a4928db1a7M5lbEofsXXYqTrvEQXyIYBwbJgqUo8S5iUZuzUuoX370OzoeIXiEbkX1KKprK02Z7n9ocnMx1JoEeB3cJdgqBxkpO84Pq+rQrSsUcgLtOp10xZnFM40EJX9RPyLD7Gyl1yKIzZ5nuWxrKIz29R5UFel6J6ZBGKCbWRP2lVbaQPKFZLJtgUQ7Vq7sKxffUOepPoBxeCWcpNYyhthj4IQ/t1WUl8asGSH7CUp0Rje3GJIaHBSciwUDA+g4euunb4NY6Kivq3O7FCyJ8REpZgZ9TIZuUgYFV0tjMi9xdAxWR4EUsJUaG4fC+5JfFA05cGZgcEkwc9VSdLKDc6L1p3Ku3L/3dRnBSlSC1hXZM0Shsdo=