Scammers Fake DocuSign Templates to Blackmail & Steal From Companies
Phishing emails mimicking Docusign are rising, thanks to a thriving underground marketplace for fake templates and login credentials.
Over the past month, researchers from Abnormal Security claim to have tracked a significant increase in phishing attacks designed to mimic legitimate Docusign requests. A quick trip down the rabbit hole took them to a Russian cybercrime forum, where sellers peddled a variety of templates resembling authentic emails and documents.
The market's leading document-signing software has long provided fertile grounds for phishermen. Its popularity helps, and that it's often used to store and transfer valuable documents with sensitive data. Docusign emails tend to be generic, making them a cinch to forge, with a big, yellow button beckoning users to click before they think twice about it.
"Everybody's been conditioned — especially after some time in the workplace — that Docusign links look a certain way," explains Mike Britton, CISO of Abnormal Security. "It's got the blue background, the 'Docusign' logo, that [characteristic] look and feel. In any given week I probably deal with half a dozen different things that I have to sign for Docusign — whether it's from a vendor, a partner, whatever — I'm kind of conditioned to see it, click it, and kind of go into autopilot."
To achieve that perfect look and feel necessary to lull victims into autopilot, an attacker might take the time to craft legitimate-looking Docusign email and document templates from scratch. Amateur, lazy, overworked, or simply logical and efficient hackers might instead purchase ready-made malicious ones from online marketplaces. After all, Britton says, the cost of a fresh template for Docusign, Amazon, PayPal, and more run as little as US $10.
With such a cheap resource in hand, attackers can craft phishing emails that trick employees of targeted organizations in any number of ways. They can send fake documents with prompts for users to enter their personally identifying information (PII), for example, or they can redirect users to fake login pages for submitting their real Docusign login credentials. Then they can leverage the data they obtain or, more likely, sell it on to the next buyer in the food chain.
As Britton says, "We're long gone from the days where cybercriminals own the entire lifecycle [of an attack]. Now, if I want to go attack 10,000 victims and steal money from them, I'm just going to go buy credentials, [and] buy access — the necessary assets to shortcut it."
So besides email and document templates, there's also a thriving market for the login credentials that phishers glean. And here is where the attacks start to get ugly.
With cheap login credentials, hackers can probe employees' Docusign histories for all the sensitive documentation they've engaged with in recent months. They can use information from employer contracts, vendor agreements, and payment information as fodder for blackmail in extortion attacks, or they can sell it to attackers even further down the line. They can also use it to identify new, higher-value targets, and impersonate specific individuals at a company or partner company.
For example, an attacker can time out a request for remittance around the time a company typically pays its vendor every month. Using information from a compromised employee's Docusign history, they can impersonate a direct superior, or a vendor finance department's point person, and attach specific, real documents to the email for reference.
To prevent this, or any number of other potential worst-case scenarios, Abnormal Security recommends that employees always look out for suspicious email sender and link addresses, impersonal email greetings, and uncharacteristically short Docusign security codes, and open documents directly from the company's website rather than via email. And, finally, don't open documents you're not expecting.
"Everybody's busy," Britton acknowledges. "Whether you're in the office, or a hybrid work environment where you've got personal life coming at you, the safest bet is to just pick up the phone and say: 'Hey, I just got this email from you. Is it legit?'"