A surge in phishing attacks that use emails appearing to be from DocuSign is being fueled by a Russian dark web marketplace that has a wide range of take templates and login credentials.
Eventually, the search led them to the Russian marketplace, where they found an identical DocuSign template.
It's not unusual for bad actors running phishing campaigns to try to give their emails an authentic vibe by making them appear to be coming from legitimate sources, such as businesses or individuals.
Abnormal sees no difference in the cases involving DocuSign, a popular electronic signature company.
For hackers, the question becomes how to make their emails seem legitimate.
Buying templates from reputable sellers requires the seller to be able to accurately replicate the template, while getting the templates from the service - in this case, DocuSign - takes time, risks exposing the cybercriminal, and requires the hacker to be able to replicate it, a skill many of them don't have.
Purchasing convincing phishing templates that are already made from an underground marketplace tends to be the way to go, enabling the attackers to run their phishing campaigns without have to worry about the templates.
The researchers found a message thread on a Russian dark web forum offering custom template modifications.
The operators behind the message also posted a template for delivery service DHL, promising not to resell the templates if requested.
A search for similar templates on the forum and other dark web networks turned up a lot of such templates that could be bought.
One site they found offered templates from such companies as Microsoft, PayPal, Netflix, and Amazon.
The cost of a template can be as little as $10, giving them the information they need to start building their phishing campaigns.
After getting the DocuSign login credentials stolen in phishing campaigns, the bad actors can start looking around a company's files for such sources as contracts, vendor agreements, or payment schedules to find who to target and how to make their emails seem legitimate.
In their emails, bad actors can impersonate DocuSign to customers and partners, asking them to transfer funds to an account controlled by the hackers.
They can add to the illusion of legitimacy by attaching fake contracts and timing the emails to coincide when real payments are due.
This isn't the first time DocuSign has been used in such attacks.
IBM researchers in 2021 outlined a similar campaign in which fake DocuSign emails were sent requesting the target to sign an electronic document.
Early last year, cybersecurity vendor Armorblox, uncovered that targeted 10,000 DocuSign users across multiple companies.
Abnormal's Kelley pointed to steps people can take to protect against such scams, including checking the sender's email address because DocuSign's always come from the docusign.net domain.
Phishing emails tend to be impersonal; DocuSign emails always address the recipient by name.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 16 May 2024 22:13:07 +0000