Hackers Use Fake DocuSign Templates to Scam Organizations – Source: securityboulevard.com

A surge in phishing attacks that use emails appearing to be from DocuSign is being fueled by a Russian dark web marketplace that has a wide range of take templates and login credentials.

Abnormal Security saw a “concerning uptick” of such emails peppering some of its customers over the past month and began looking for the source of the problem, according to Daniel Kelley, a threat researcher with the cybersecurity company.

“These fraudulent emails, meticulously designed to mimic legitimate document signing requests, lure unsuspecting recipients into clicking malicious links or divulging sensitive information,” Kelley wrote in a report. “The recent rise in these attacks can be attributed to several factors, including the widespread adoption of the platform across various industries, its trusted reputation, and, most significantly, the increasing sophistication of cybercriminal tactics.”

In this case, the Abnormal researchers took the information from one of the attacks on a customer and searched for it on underground forums and networks. Eventually, the search led them to the Russian marketplace, where they found an identical DocuSign template.

Authenticity is Key When Phishing

It’s not unusual for bad actors running phishing campaigns to try to give their emails an authentic vibe by making them appear to be coming from legitimate sources, such as businesses or individuals. In recent months, there have been reports of people falling for scams after receiving texts that appeared to be from the U.S. Postal Service.

Abnormal sees no difference in the cases involving DocuSign, a popular electronic signature company. For hackers, the question becomes how to make their emails seem legitimate.

“When launching a phishing campaign, cybercriminals prioritize authenticity in order to maximize success,” Kelley wrote. “They have two options: buy templates from reputable sellers on cybercrime forums or sign up for the targeted service (such as DocuSign) to get genuine templates directly. However, both options pose unique challenges.”

Shopping Around

Buying templates from reputable sellers requires the seller to be able to accurately replicate the template, while getting the templates from the service – in this case, DocuSign – takes time, risks exposing the cybercriminal, and requires the hacker to be able to replicate it, a skill many of them don’t have.

Purchasing convincing phishing templates that are already made from an underground marketplace tends to be the way to go, enabling the attackers to run their phishing campaigns without have to worry about the templates.

“Sophisticated cybercriminals are leveraging the anonymity of the dark web to trade DocuSign templates, a disturbing trend that underscores the evolving nature of digital fraud,” Kelley wrote. “These templates closely resemble authentic DocuSign documents and are sold to facilitate a range of malicious activities, including phishing attacks, identity theft, and financial fraud.”

The researchers found a message thread on a Russian dark web forum offering custom template modifications. The operators behind the message also posted a template for delivery service DHL, promising not to resell the templates if requested. A search for similar templates on the forum and other dark web networks turned up a lot of such templates that could be bought. One site they found offered templates from such companies as Microsoft, PayPal, Netflix, and Amazon.

“Cybercriminals frequently launch multiple phishing campaigns at the same time, focusing on different vendors and services,” Kelley wrote. “Creating a unique template for each target would be extremely resource-intensive. Instead, cybercriminals can streamline their operations and increase their profits by purchasing templates in bulk or outsourcing their creation.”

The cost of a template can be as little as $10, giving them the information they need to start building their phishing campaigns. After getting the DocuSign login credentials stolen in phishing campaigns, the bad actors can start looking around a company’s files for such sources as contracts, vendor agreements, or payment schedules to find who to target and how to make their emails seem legitimate.

Stolen Money and Credentials

In their emails, bad actors can impersonate DocuSign to customers and partners, asking them to transfer funds to an account controlled by the hackers. They can add to the illusion of legitimacy by attaching fake contracts and timing the emails to coincide when real payments are due.

“Hacked DocuSign accounts are also a goldmine for corporate espionage, as cybercriminals can profit handsomely by selling information about upcoming mergers, financial records, client lists, and other sensitive data to other entities,” Kelley wrote, noting the large amount of sensitive and confidential information documents stored in DocuSign can hold. “If cybercriminals discover this type of data while snooping, they may resort to blackmailing the company by threatening to release the information publicly unless a large ransom is paid.”

Companies then are in a bind. They can either pay the demand or risk their reputations and legal problems.

Riding DocuSign’s Popularity

This isn’t the first time DocuSign has been used in such attacks. IBM researchers in 2021 outlined a similar campaign in which fake DocuSign emails were sent requesting the target to sign an electronic document. Clicking on the “view document” button sent victims to a phishing site. Early last year, cybersecurity vendor Armorblox, uncovered that targeted 10,000 DocuSign users across multiple companies. Armorblox was bought by Cisco months later.

Abnormal’s Kelley pointed to steps people can take to protect against such scams, including checking the sender’s email address because DocuSign’s always come from the docusign.net domain. Also, phishing emails tend to be impersonal; DocuSign emails always address the recipient by name.

People also should verify the code format, inspect links before clicking on them by hovering over to see their URL destinations, and keep clear of messages that including Google Docs or Drive links or attachments.

In addition, “Use DocuSign’s secure document access,” Kelley wrote. “Instead of clicking links in suspicious emails, go directly to docusign.net, click ‘Access Documents,’ and enter the security code provided at the bottom of DocuSign emails.”