THIS IS NOT A BILL. But some bad actors are hoping you think it is.
A report from the API security platform Wallarm said fraudsters are using Docusign accounts to send invoices that appear “strikingly authentic.” Threat actors use the document-signing platform’s legitimate services to deceive users and to automate the process, according to the blog post released on November 5.
“Attackers found a way to confuse people using the basic concept of Docusign that allows you to send any documents to anyone,” Ivan Novikov, CEO at Wallarm, told IT Brew.
“It looks so real, because it is real,” he said.
The details:
- The scam used a realistic Norton Antivirus signature document, likely created by copying a genuine one, Novikov said.
- These fake invoices may include accurate pricing and additional charges, like an activation fee, according to the Wallarm report.
- The fraudster can then use an e-signed document to request payment from the organization outside of Docusign, the blog post said.
- Threat actors used the legitimate Docusign APIs to facilitate mass distribution.
2 Legit…Attackers have frequently employed legitimate services—URL shorteners, company mail servers, and popular file-sharing services, to name a few—to sneak past an organization’s security filters.
Justin Safa, cybersecurity consultant for digital forensics and incident response at Optiv, said he has seen an increase over the last two years in legitimate document-sharing services being abused to send more effective phishing messages. He sees the Docusign attack as especially effective in deceiving users and bypassing technical security controls.
“It’s not necessarily an inherent issue with the platform itself, so much as it is that person has found a way to take advantage of it,” Safa said, adding that typical anti-phishing measures apply to a threat like this one:
- Verify the source of the email. (While the source came from Docusign, the Reply-To email field appeared to be from a suspicious Outlook address, according to Wallarm’s CEO.)
- Implement internal processes (like checking account numbers) for the transfer of funds.
- Use URL rewriting features like Office 365 Safe Links.
- Train employees using actual threats that users face.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
BEC up. Business email compromise (BEC), a fraudulent tactic involving a request for company money or data, was the “second-costliest type of crime,” according to the FBI’s 2023 Internet Crime Report, falling right behind investment fraud. BEC led to 21,489 complaints and $2.9 billion in reported losses in 2023.
Novikov wants the platform to check if an account holder using a company logo has a corresponding, confirming credential form the company, like a business email address. (Google uses third-party-verified Brand Indicators for Message Identification to ensure logos in inboxes are legitimate.)
Kate Sheehy, senior director of corporate communications at Docusign, shared a statement in an email to IT Brew: “We are aware of the reports and take them very seriously. While, in the interest of security, we don’t disclose specifics that could alert bad actors to our prevention tactics, Docusign has a number of technical systems and teams in place to help prevent misuse of our services,” including continuous monitoring and deterring techniques.