Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

DocuSign Envelops API hijacked to send out fake invoices

Electronic Signature.

  • Hackers found abusing DocuSign to send phishing emails
  • The signed documents are used to request payment
  • DocuSign says it has implemented additional safeguards

Cybercriminals are abusing DocuSign’s Envelopes API to trick businesses into signing fake invoices, which are later used to steal money from the victims.

DocuSign is an esign software platform that businesses can use to sign, send, and manage documents digitally - with “send” here being the keyword.

New findings by cybersecurity researchers Wallarm highlight how crooks would create fake invoices, and use DocuSign to send them to the victims for “signing”. Since they are using the platform, the emails are sent directly from DocuSign’s domain, appearing legitimate and moving past any email protection services the victims may have set up.

Bypassing the billing department

In the invoices, the crooks impersonate major brands, such as Norton, or PayPal. The funds requested are also in a realistic range, lending further credence to the campaign.

Businesses that don’t spot the ruse end up signing the documents, which might seem odd at first, since they don’t really lose money, or sensitive data, that way.

However, the attackers can leverage the signed documents to authorize payments outside of normal company procedures since, at the end of the day, the signatures in the invoices are legitimate. That way, they are effectively bypassing the billing departments and stealing money from their victims.

The attacks are not manual, since the distribution seems to be going in relatively high volumes, the researchers further explained. By using the 'Envelopes: create' function, attackers can generate and send a large volume of these fraudulent invoices to numerous potential victims simultaneously.

Wallarm added that the attacks have been going on for a while now. DocuSign acknowledged it, as well. Responding to a request for comment from BleepingComputer, the company said it worked to prevent misuse: “We are aware of the reports and take them very seriously,” it told the publication. “While, in the interest of security, we don’t disclose specifics that could alert bad actors to our prevention tactics, DocuSign has a number of technical systems and teams in place to help prevent misuse of our services.”

Commenting on the news, Erich Kron, security awareness advocate at KnowBe4, said that the campaign likely wouldn't be very successful, and gave a few tips on how to spot similar attacks:

"Because this is coming through an API exploit, they’re probably won’t be many signs that would be easy to spot as in a spoofed email. The easiest way to spot this is if it is asking you to renew a service that you don’t currently have, such as a specific brand of antivirus, it should stand out as a fake. Even if you do happen to have that brand of antivirus, it is always best to renew through the vendor website, or through the app itself," Kron explained.

"It is critical for people to be cautious when receiving unexpected invoices or other communications through email, text messages, or even phone calls as bad actors may sometimes combine tactics to further confuse potential victims or try to improve the believability of the scams."

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.