A targeted mobile phishing (mishing) campaign was observed that leveraged a DocuSign impersonation scheme that aimed to harvest corporate credentials from company executives.
ZimperiumLabs reported Dec. 18 that the DocuSign campaign was similar to a pattern of spear phishing attempts that enterprises have been tracking in which attackers specifically target the mobile devices of their executives.
The ZimperiumLabs researchers said the attack starts simply with a DocuSign document that comes to an executive’s mobile device for immediate review — but by incorporating advanced evasion techniques via CAPTCHA with mobile-specific targeted phishing links inside PDF files, this campaign demonstrates the increased sophistication of corporate mishing.
Patrick Tiquet, vice president, security and architecture at Keeper Security, said as mobile devices have become essential to most business operations, securing them has become crucial, especially to protect against the large variety of different types of phishing attacks, including the mishing attempts ZimperiumLabs has written about.
“Organizations should implement robust mobile device management policies, ensuring that both corporate-issued and BYOD devices comply with security standards,” said Tiquet. “Regular updates to both devices and security software will ensure that vulnerabilities are promptly patched — safeguarding against known threats that target mobile users.”
Tiquet added that enforcing multi-factor authentication (MFA) adds another layer of protection for sensitive data. Password managers also play a crucial role by generating and storing strong, unique passwords and supporting advanced MFA methods. Finally, Tiquet said regular employee training on cybersecurity best practices and simulated phishing exercises will help reinforce secure behaviors.
Mika Aalto, co-founder and CEO at Hoxhunt, said companies must shift left and equip senior management and employees with the skills and tools to recognize and safely report a mishing attack to combat these mobile spear phishing campaigns.
“Ultimately, it comes down to people,” Aalto said. “Attackers will launch a complex attack with what might just be a simple phishing message. It’s up to people to listen to that little voice in their head that’s telling them that something is wrong, and report suspicious messages as a matter of habit.”
