Docusign API Abused in Widescale, Novel Invoice Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


Docusign API Abused in Widescale, Novel Invoice Attack


Attackers are exploiting the Envelopes: create API of the enormously popular document-signing service to flood corporate inboxes with convincing phishing emails aimed at defrauding organizations. Its an unusual attack vector with a high success rate.



Cybercriminals are abusing a Docusign API in a
widescale, innovative phishing campaign
to send fake invoices to corporate users that appear authentic and likely would not trigger typical security defenses or user suspicions, as many similar scams might.
The campaign to defraud organizations, observed over the last several months, involves attackers creating a legitimate, paid
Docusign account
using the software that allows them to change templates and use the API directly, researchers at security firm Wallarm
revealed
in a blog post published this week.
Attackers are taking advantage of Docusigns API-friendly environment, which while beneficial for businesses, also inadvertently provides a way for malicious actors to scale their operations, according to the post.
Specifically, the researchers observed abuse of Docusigns Envelopes: create API to send one of what turned out to be a significant volume of automated emails to multiple users and recipients directly from the platform, they said. The messages use specially crafted templates mimicking requests to e-sign documents from well-known brands, which are mainly software companies such as Norton Antivirus, according to the post by Wallarm.
Fake invoices employed in the campaign also leverage an array of other tactics to lend authenticity to the scam. These include offering accurate pricing for a companys products; the addition of expected kinds of charges, such as an activation fee; the inclusion of direct wire instructions or purchase orders; and the sending of different invoices with different items.
Ultimately, if a user e-signs the document, a threat actor can use it to request payment from organizations outside of Docusign or send the signed document through Docusign to the finance department for compensation, thus committing fraud.
The attack vector may not be limited to
Docusign
, Wallarm researchers warned; other e-signature and document services could be equally vulnerable to similar exploitation tactics.
Fake invoices are often a part of financially motivated phishing scams, and Docusign — which offers enormously popular software for digital signatures with more than 1.5 million paying customers and 1 billion users worldwide — is often a target for phishers. An API-based attack, however, can potentially be more effective than scams that simply use name recognition or impersonate the brand, for a number of reasons.
Chief among them is that because the emails come directly from Docusign, they look legitimate to the email services and spam/phishing filters, according to Wallarms post. There are no malicious links or attachments; the danger lies in the authenticity of the request itself.
Indeed, because the attack uses an API exploit, there probably won’t be many signs that would be easy to spot as in a spoofed email, Erich Kron, security awareness advocate at KnowBe4, observes. Moreover, the popularity of Docusign makes the service a great target for this sort of attack at a large scale due to the potential for automation by exploiting the API, he says, adding, people put their trust in brands they recognize and know, especially those that are used often in legal or other official capacities.
Fortunately, there are a number of ways that organizations can protect themselves from being defrauded by such convincing attacks, as well as strategies that service providers like Docusign can take to avoid or detect
API abuse
, according to Wallarm.
Organizations should always double-check the senders email address and any associated accounts for legitimacy, as well as implement strict internal procedures for approving purchases and financial transactions that involve multiple team members, if possible.
Its fascinating to see how sophisticated cybercriminals have become, leveraging legitimate tools like Docusign to craft realistic phishing attacks, says Randolph Barr, CISO at Cequence. This highlights the importance of verifying the source of any document signing request, even if it appears to come from a trusted source. [Organizations] should emphasize the importance of pausing and verifying before taking any action, even if it seems urgent. Additionally, IT and security teams must stay informed about the latest attack methods and techniques to effectively protect their organizations.
Keeping a close eye on unexpected invoices or requests, especially those that include unusual charges or fees, also can help organizations avoid paying criminals rather than legitimate entities.
Service providers also can take responsibility for mitigating
API-based attacks
by understanding how APIs may be abused in phishing attacks by conducting regular threat modeling exercises to identify potential attack vectors. They also can apply rate limits to specific API endpoints to prevent attackers from scaling in cases of API abuse, according to the researchers.
Dont miss the latest
Dark Reading Confidential podcast
,
where we talk about NISTs post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. 
Listen now!

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Docusign API Abused in Widescale, Novel Invoice Attack