DocuSign Envelops API hijacked to send out fake invoices

Crooks are using signed invoices to bypass the billing department

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals are abusing DocuSign’s Envelopes API to trick businesses into signing fake invoices, which are later used to steal money from the victims.

DocuSign is anesign softwareplatform that businesses can use to sign, send, and manage documents digitally - with “send” here being the keyword.

New findings by cybersecurity researchers Wallarm highlight how crooks would create fake invoices, and use DocuSign to send them to the victims for “signing”. Since they are using the platform, the emails are sent directly from DocuSign’s domain, appearing legitimate and moving past any email protection services the victims may have set up.

Bypassing the billing department

In the invoices, the crooks impersonate major brands, such as Norton, or PayPal. The funds requested are also in a realistic range, lending further credence to the campaign.

Businesses that don’t spot the ruse end up signing the documents, which might seem odd at first, since they don’t really lose money, or sensitive data, that way.

However, the attackers can leverage the signed documents to authorize payments outside of normal company procedures since, at the end of the day, the signatures in the invoices are legitimate. That way, they are effectively bypassing the billing departments and stealing money from their victims.

The attacks are not manual, since the distribution seems to be going in relatively high volumes, the researchers further explained. By using the ‘Envelopes: create’ function, attackers can generate and send a large volume of these fraudulent invoices to numerous potential victims simultaneously.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Wallarm added that the attacks have been going on for a while now. DocuSign acknowledged it, as well. Responding to a request for comment fromBleepingComputer, the company said it worked to prevent misuse: “We are aware of the reports and take them very seriously,” it told the publication. “While, in the interest of security, we don’t disclose specifics that could alert bad actors to our prevention tactics, DocuSign has a number of technical systems and teams in place to help prevent misuse of our services.”

Commenting on the news, Erich Kron, security awareness advocate at KnowBe4, said that the campaign likely wouldn’t be very successful, and gave a few tips on how to spot similar attacks:

“Because this is coming through an API exploit, they’re probably won’t be many signs that would be easy to spot as in a spoofed email. The easiest way to spot this is if it is asking you to renew a service that you don’t currently have, such as a specific brand of antivirus, it should stand out as a fake. Even if you do happen to have that brand of antivirus, it is always best to renew through the vendor website, or through the app itself,” Kron explained.

“It is critical for people to be cautious when receiving unexpected invoices or other communications through email, text messages, or even phone calls as bad actors may sometimes combine tactics to further confuse potential victims or try to improve the believability of the scams.”

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Huge Black Friday Samsung sale: save up to $1,900 on QLED, OLED TVs, and more