Phishing emails impersonating DocuSign are on the rise, driven by a thriving underground market for fake templates and login credentials.
In the past month, researchers from Abnormal Security have observed a significant increase in phishing attacks designed to mimic legitimate DocuSign requests. Their investigation led them to a Russian cybercrime forum where sellers offered a variety of templates resembling authentic emails and documents.
DocuSign, a leading document-signing software, has long been a prime target for phishers due to its popularity and the sensitive nature of the documents it handles. DocuSign emails are generally generic, making them easy to forge with a large, conspicuous yellow button that tempts users to click. Mike Britton, CISO of Abnormal Security, explains, "People are conditioned to recognize and trust the typical appearance of DocuSign emails. In my weekly routine, I encounter multiple DocuSign requests and often click on them without a second thought."
To create convincing DocuSign phishing emails, attackers can painstakingly design authentic-looking templates from scratch or, more efficiently, purchase pre-made malicious templates from online marketplaces. According to Britton, these templates, which can mimic DocuSign, Amazon, PayPal, and other platforms, can be bought for as little as $10.
With these inexpensive resources, attackers craft phishing emails to deceive employees into revealing personal information or redirecting them to fake login pages to steal their DocuSign credentials. The stolen data is then used by the attackers or sold to other cybercriminals.
Cheap login credentials allow hackers to access employees' DocuSign histories, revealing sensitive documents from recent months. Information from employer contracts, vendor agreements, and payment details can be used for blackmail or sold to other attackers. Hackers can also identify new targets and impersonate specific individuals within a company.
For instance, an attacker might time a fraudulent payment request to coincide with a company's regular vendor payment schedule. By using information from a compromised employee's DocuSign history, they can convincingly impersonate a superior or a vendor's finance department contact, attaching real documents for reference.
To mitigate these risks, Abnormal Security advises employees to be vigilant about suspicious email sender addresses, impersonal greetings, and unusually short DocuSign security codes. Employees should open documents directly from the company's website rather than via email and avoid opening unexpected documents.
"Everyone is busy," Britton notes. "Whether in the office or working in a hybrid environment, the safest approach is to verify emails by calling the sender directly to confirm their legitimacy."