Scammers have found a new way to steal money using legitimate services.
DocuSign is at the center of a new type of cyberattack: attackers use its API to send fake invoices that look like real ones. Unlike standard phishing attacks, which use fake links and emails, these incidents use real DocuSign accounts and templates, making it difficult for users and security systems to recognize the threat.
Criminals create paid accounts on DocuSign, where they set up mock invoice templates from well-known brands such as Norton Antivirus. Invoices include reliable data and often contain additional fees, such as an "activation fee" of $50, which makes the fakes even more plausible.
When signing such an invoice, the user actually gives permission to pay, which attackers can use to transfer money to their accounts. Such invoices are difficult to trace – they come directly through the DocuSign platform, without malicious links or attachments, so email filters let them through.
In recent months, the number of such complaints from users on DocuSign forums has increased significantly. These attacks show that criminals are actively using legitimate channels to disguise their activities, which seriously complicates their detection.
Security experts at Wallarm have identified that criminals are automating the process using the DocuSign API, sending fake invoices in bulk and with minimal intervention. Using the Envelopes API, they set up and send thousands of invoices fully tailored to the branding of companies like Norton, creating the illusion of legitimate transactions.
Wallarm researchers emphasize that this threat is also relevant for other electronic signature services. To protect against such attacks, companies are advised to verify the sender, establish internal protocols for approving financial transactions, and conduct training for employees. It is important for service providers to limit the rate of API requests and use technology to monitor for suspicious activity.
This scheme is a new word in cybercrime, when attackers successfully embed their operations into trusted platforms, which makes them difficult to detect. Organizations need to improve their security practices, focusing on API security and employee awareness.
Source
DocuSign is at the center of a new type of cyberattack: attackers use its API to send fake invoices that look like real ones. Unlike standard phishing attacks, which use fake links and emails, these incidents use real DocuSign accounts and templates, making it difficult for users and security systems to recognize the threat.
Criminals create paid accounts on DocuSign, where they set up mock invoice templates from well-known brands such as Norton Antivirus. Invoices include reliable data and often contain additional fees, such as an "activation fee" of $50, which makes the fakes even more plausible.
When signing such an invoice, the user actually gives permission to pay, which attackers can use to transfer money to their accounts. Such invoices are difficult to trace – they come directly through the DocuSign platform, without malicious links or attachments, so email filters let them through.
In recent months, the number of such complaints from users on DocuSign forums has increased significantly. These attacks show that criminals are actively using legitimate channels to disguise their activities, which seriously complicates their detection.
Security experts at Wallarm have identified that criminals are automating the process using the DocuSign API, sending fake invoices in bulk and with minimal intervention. Using the Envelopes API, they set up and send thousands of invoices fully tailored to the branding of companies like Norton, creating the illusion of legitimate transactions.
Wallarm researchers emphasize that this threat is also relevant for other electronic signature services. To protect against such attacks, companies are advised to verify the sender, establish internal protocols for approving financial transactions, and conduct training for employees. It is important for service providers to limit the rate of API requests and use technology to monitor for suspicious activity.
This scheme is a new word in cybercrime, when attackers successfully embed their operations into trusted platforms, which makes them difficult to detect. Organizations need to improve their security practices, focusing on API security and employee awareness.
Source
