Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Research

Criminals open DocuSign's Envelope API to make BEC special delivery

Why? Because that's where the money is

Iain Thomson Tue 5 Nov 2024  //  18:34 UTC

Business email compromise scammers are trying to up their success rate by using a DocuSign API.

The Envelope: create API is designed to let users of the legal signing product automate and speed up document distribution. But it also allows customization – and that combination is, we're told, causing many people to get caught out.

"An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly. The attacker employs a specially crafted template mimicking requests to e-sign documents from well known brands," warned bug finders at security shop Wallarm.

"Because the invoices are sent directly through DocuSign's platform, they look legitimate to the email services and spam/phishing filters. There are no malicious links or attachments; the danger lies in the authenticity of the request itself."

Once signed, the attacker can forward the invoices on a mass scale, thanks to DocuSign's automation features, and the money should flow into their accounts. According to the FBI, BEC scammers have made $2.9 billion from US businesses in 2023 – and that's just from the reported cases. There are undoubtedly a few embarrassed businesses that just decided to swallow the loss.

Wallarm observed that the problem has been growing over the last few months and – based on DocuSign's form letter response – a remedy may take some time.

The letter reads: "We appreciate you making us aware of bad actors using the DocuSign product inappropriately. Our Security teams have created an Incident Reporting guide on our Trust site. We recommend you do not click on any links from emails that are looking suspicious."

As ever, the key protections are checking the sender's address and the payment details. It's a pain, but vigilance is the most effective way to defeat cyber scum. ®
Send us news
4 Comments

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

BlackBerry offloads Cylance's endpoint security products to Arctic Wolf

Fresh attempt to mix the perfect cocktail of IoT and Infosec

US reportedly mulls TP-Link router ban over national security risk

It could end up like Huawei -Trump's gonna get ya, get ya, get ya

Blocking Chinese spies from intercepting calls? There ought to be a law

Sen. Wyden blasts FCC's 'failure' amid Salt Typhoon hacks

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns

Microsoft won't let customers opt out of passkey push

Enrollment invitations will continue until security improves

Australia moves to drop some cryptography by 2030 – before quantum carves it up

The likes of SHA-256, RSA, ECDSA and ECDH won't be welcome in just five years

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Open source maintainers are drowning in junk bug reports written by AI

Python security developer-in-residence decries use of bots that 'cannot understand code'

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Boffins trick AI model into giving up its secrets

All it took to make an Google Edge TPU give up model hyperparameters was specific hardware, a novel attack technique … and several days