Phishing emails mimicking DocuSign are rising, thanks to a thriving underground marketplace for fake templates and login credentials.
Over the past month, researchers from Abnormal Security claim to have tracked a significant increase in phishing attacks designed to mimic legitimate DocuSign requests.
A quick trip down the rabbit hole took them to a Russian cybercrime forum, where sellers peddled a variety of templates resembling authentic emails and documents.
Phishing's Underground Market The market's leading document-signing software has long provided fertile grounds for phishermen.
Its popularity helps, and that it's often used to store and transfer valuable documents with sensitive data.
DocuSign emails tend to be generic, making them a cinch to forge, with a big, yellow button beckoning users to click before they think twice about it.
To achieve that perfect look and feel necessary to lull victims into autopilot, an attacker might take the time to craft legitimate-looking DocuSign email and document templates from scratch.
Amateur, lazy, overworked, or simply logical and efficient hackers might instead purchase ready-made malicious ones from online marketplaces.
With such a cheap resource in hand, attackers can craft phishing emails that trick employees of targeted organizations in any number of ways.
They can send fake documents with prompts for users to enter their personally identifying information, for example, or they can redirect users to fake login pages for submitting their real DocuSign login credentials.
Then they can leverage the data they obtain or, more likely, sell it on to the next buyer in the food chain.
So besides email and document templates, there's also a thriving market for the login credentials that phishers glean.
The Consequence to Companies With cheap login credentials, hackers can probe employees' DocuSign histories for all the sensitive documentation they've engaged with in recent months.
They can use information from employer contracts, vendor agreements, and payment information as fodder for blackmail in extortion attacks, or they can sell it to attackers even further down the line.
They can also use it to identify new, higher-value targets, and impersonate specific individuals at a company or partner company.
An attacker can time out a request for remittance around the time a company typically pays its vendor every month.
Using information from a compromised employee's DocuSign history, they can impersonate a direct superior, or a vendor finance department's point person, and attach specific, real documents to the email for reference.
To prevent this, or any number of other potential worst-case scenarios, Abnormal Security recommends that employees always look out for suspicious email sender and link addresses, impersonal email greetings, and uncharacteristically short DocuSign security codes, and open documents directly from the company's website rather than via email.
Finally, don't open documents you're not expecting.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 15 May 2024 20:40:35 +0000