Attackers Abuse DocuSign API to Send Authentic-Looking Invoices At Scale
Summary:
Cybercriminals have adopted a sophisticated approach by exploiting DocuSign’s API capabilities to send convincing fake invoices that appear to come from reputable companies like Norton Antivirus. Unlike standard phishing tactics that rely on deceptive emails and suspicious links, these scams use genuine DocuSign accounts and official templates, making the invoices appear legitimate and bypassing email security filters with ease. To carry out these attacks, scammers create paid DocuSign accounts, granting them access to customization tools and API functionality. Using these resources, they create templates that closely resemble authentic e-signature requests from well-known brands, mostly in the software sector. These fake invoices are often highly realistic, containing accurate product prices and even additional charges, such as a $50 activation fee. Some invoices also include direct wire instructions or purchase orders, further adding to their credibility. Once the recipient signs the document, attackers use it to request payments, either by returning the signed invoice through DocuSign to the organization’s finance department or by initiating contact outside DocuSign. In both cases, the signed document serves as authorization for payment, increasing the scam’s success rate.
In recent months, reports of these fake invoices have surged, with DocuSign users raising alarms on community forums about the increase in scams. One forum thread, titled “Phishing Emails from docusign.net Domain”, reflects the growing concern among users who are struggling to navigate these attacks. This troubling trend reveals how attackers are embedding themselves within trusted communication channels, effectively disguising fraudulent activity as legitimate correspondence.
Security Officer Comments:
To carry out these scams on a large scale, attackers leverage DocuSign’s API-friendly environment for automation, using endpoints like the Envelopes: Create API to distribute a high volume of fake invoices with minimal manual effort. This API allows attackers to automate the process of creating and sending customized invoices, giving them the ability to operate at scale. With access to DocuSign’s templates, they can tailor each invoice to match the branding of various target companies, including the unauthorized use of logos and trademarks from well-known brands like Norton. This tactic’s effectiveness lies in the misuse of DocuSign’s trusted platform. Emails are sent directly from DocuSign, making them appear credible and difficult for traditional spam or phishing filters to catch. Without any malicious links or attachments, the invoices bypass most email security measures, relying solely on their appearance to deceive recipients.
Suggested Corrections:
For Organizations:
Link(s):
https://lab.wallarm.com/attackers-abuse-docusign-api-to-send-authentic-looking-invoices-at-scale/
Cybercriminals have adopted a sophisticated approach by exploiting DocuSign’s API capabilities to send convincing fake invoices that appear to come from reputable companies like Norton Antivirus. Unlike standard phishing tactics that rely on deceptive emails and suspicious links, these scams use genuine DocuSign accounts and official templates, making the invoices appear legitimate and bypassing email security filters with ease. To carry out these attacks, scammers create paid DocuSign accounts, granting them access to customization tools and API functionality. Using these resources, they create templates that closely resemble authentic e-signature requests from well-known brands, mostly in the software sector. These fake invoices are often highly realistic, containing accurate product prices and even additional charges, such as a $50 activation fee. Some invoices also include direct wire instructions or purchase orders, further adding to their credibility. Once the recipient signs the document, attackers use it to request payments, either by returning the signed invoice through DocuSign to the organization’s finance department or by initiating contact outside DocuSign. In both cases, the signed document serves as authorization for payment, increasing the scam’s success rate.
In recent months, reports of these fake invoices have surged, with DocuSign users raising alarms on community forums about the increase in scams. One forum thread, titled “Phishing Emails from docusign.net Domain”, reflects the growing concern among users who are struggling to navigate these attacks. This troubling trend reveals how attackers are embedding themselves within trusted communication channels, effectively disguising fraudulent activity as legitimate correspondence.
Security Officer Comments:
To carry out these scams on a large scale, attackers leverage DocuSign’s API-friendly environment for automation, using endpoints like the Envelopes: Create API to distribute a high volume of fake invoices with minimal manual effort. This API allows attackers to automate the process of creating and sending customized invoices, giving them the ability to operate at scale. With access to DocuSign’s templates, they can tailor each invoice to match the branding of various target companies, including the unauthorized use of logos and trademarks from well-known brands like Norton. This tactic’s effectiveness lies in the misuse of DocuSign’s trusted platform. Emails are sent directly from DocuSign, making them appear credible and difficult for traditional spam or phishing filters to catch. Without any malicious links or attachments, the invoices bypass most email security measures, relying solely on their appearance to deceive recipients.
Suggested Corrections:
For Organizations:
- Verifying Sender Credentials: Always double-check the sender's email address and any associated accounts for legitimacy (not an email sender, but Reply-To email field, private emails like @outlook or Gmail should raise your concerns).
- Requiring Internal Approvals: Implement strict internal procedures for approving purchases and financial transactions, involving multiple team members where possible.
- Conducting Awareness Training: Educate employees about this new type of threat, highlighting the importance of skepticism even when communications appear legitimate.
- Monitoring for Anomalies: Keep an eye on unexpected invoices or requests, especially those that include unusual charges or fees. Even last names starting with the lowercase should raise attention.
- Follow DocuSign’s Advice: DocuSign provides guidance on how to avoid phishing.For Service Providers:
- Conducting Threat Modeling: Understanding where your APIs might be abused is key to implementing effective security controls. Conduct regular threat modeling exercises to identify potential points of abuse.Implementing API Rate: Rate limiting isn’t a new control, but applying rate limiting to specific API endpoints is a more sophisticated application of the capability. If you understand how your APIs are used, you can implement smarter rate limits to prevent attackers from scaling.Detecting API Abuse: API abuse is hard to detect, but there are tools that can profile the behavior of your APIs and identify anomalous activities.
Link(s):
https://lab.wallarm.com/attackers-abuse-docusign-api-to-send-authentic-looking-invoices-at-scale/