At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Attackers Abuse DocuSign to Send Phony Invoices

    Threat actors are abusing DocuSign’s API to send phony invoices that appear “strikingly authentic,” according to researchers at Wallarm.

    “Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard,” Wallarm says.

    The threat actors set up DocuSign accounts that allow them to create invoices for fake purchases. They can then send an email notification from the DocuSign platform.

    “An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly,” the researchers explain. “The attacker employs a specially crafted template mimicking requests to e-sign documents from well-known brands, mostly software companies; for example, Norton Antivirus.

    These fake invoices may contain accurate pricing for the products to make them appear authentic, along with additional charges, like a $50 activation fee. Other scenarios include direct wire instructions or purchase orders.”

    Notably, the threat actors have automated these phishing attacks using DocuSign’s API, allowing them to mass-distribute the phony invoices.

    “The longevity and breadth of the incidents reported in DocuSign’s community forums clearly demonstrate that these are not one-off, manual attacks,” the researchers explain. “In order to carry out these attacks, the perpetrators must automate the process. DocuSign offers APIs for legitimate automation, which can be abused for these malicious activities.”

    Since the messages come from a legitimate service, they’re much more likely to bypass security filters and fool human users. While this campaign abused DocuSign, the researchers note that attackers can use other e-signature and document services to launch these attacks as well.

    “The exploitation of trusted platforms like DocuSign through their APIs marks a concerning evolution in cybercriminal strategies,” Wallarm concludes. “By embedding fraudulent activities within legitimate services, attackers increase their chances of success while making detection more challenging. Organizations must adapt by enhancing their security protocols, prioritizing API security, and fostering a culture of vigilance.”

    KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

    Wallarm has the story.

    Request A Demo: Security Awareness Training

    New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!

    Request a Demo!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top