Criminals open DocuSign’s Envelope API to make BEC special delivery

Business email compromise scammers are trying to up their success rate by using a DocuSign API.

The Envelope: create API is designed to let users of the legal signing product automate and speed up document distribution. But it also allows customization – and that combination is, we’re told, causing many people to get caught out.

“An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly. The attacker employs a specially crafted template mimicking requests to e-sign documents from well known brands,” warned bug finders at security shop Wallarm.

“Because the invoices are sent directly through DocuSign’s platform, they look legitimate to the email services and spam/phishing filters. There are no malicious links or attachments; the danger lies in the authenticity of the request itself.”

Once signed, the attacker can forward the invoices on a mass scale, thanks to DocuSign’s automation features, and the money should flow into their accounts. According to the FBI, BEC scammers have made $2.9 billion from US businesses in 2023 – and that’s just from the reported cases. There are undoubtedly a few embarrassed businesses that just decided to swallow the loss.

Wallarm observed that the problem has been growing over the last few months and – based on DocuSign’s form letter response – a remedy may take some time.

The letter reads: “We appreciate you making us aware of bad actors using the DocuSign product inappropriately. Our Security teams have created an Incident Reporting guide on our Trust site. We recommend you do not click on any links from emails that are looking suspicious.”

As ever, the key protections are checking the sender’s address and the payment details. It’s a pain, but vigilance is the most effective way to defeat cyber scum. ®

READ MORE HERE