DocuSign’s Envelopes API abused to ship real looking pretend invoices

Menace actors are abusing DocuSign’s Envelopes API to create and mass-distribute pretend invoices that seem real, impersonating well-known manufacturers like Norton and PayPal.

Utilizing a legit service, the attackers bypass e-mail safety protections as they arrive from an precise DocuSign area, docusign.web.

The objective is to have their targets e-sign the paperwork, which they’ll then use to authorize funds independently from the corporate’s billing departments.

Fake Norton invoice created on DocuSign
Faux Norton bill created on DocuSign
Supply: Wallarm

Sending real looking signature requests

DocuSign is an digital signature platform that allows digitally signing, sending, and managing paperwork.

The Envelopes API is a core element of DocuSign’s eSignature REST API, permitting builders to create, ship, and handle doc containers (envelopes) that outline the signing course of.

The API is supposed to assist clients automate the sending of paperwork that want signing, monitor their standing, and retrieve them when signed.

In line with Wallarm safety researchers, risk actors utilizing legit paid DocuSign accounts ary abusing this API to ship pretend invoices that mimic the appear and feel of respected software program companies.

These customers get pleasure from full entry to the platform’s templates, permitting them to design paperwork that resemble the impersonated entity’s branding and structure.

Subsequent, they use ‘Envelopes: create’ API perform to generate and ship a excessive quantity of fraudulent invoices to many potential victims.

Malicious request sent by the threat actors
Malicious request despatched by the risk actors
Supply: Wallarm

Wallarm says the charges offered in these invoices are stored to a sensible vary to extend the sense of legitimacy of the signing request.

“If users e-sign this document, the attacker can use the signed document to request payment from the organization outside of DocuSign or send the signed document through DocuSign to the finance department for payment,” explains Wallarm.

“Other attempts have included different invoices with different items, usually following the same pattern of getting signatures for invoices that then authorize payment into the attackers bank accounts.”

Giant-scale DocuSign abuse

Wallarm notes that the sort of abuse, which it has reported to DocuSign, has been occurring for some time now, and clients have reported the campaigns many occasions on the platform’s group boards.

“I’m suddenly getting 3-5 phishing emails a week from the docusign.net domain and none of the standard reporting email addresses like abuse@ or admin@ work,” a buyer posted to the DocuSign boards.

“They reject my email, and I can’t find any reporting information on their FAQ page.  I guess I’m left with the choice of blocking the domain?”

The assaults seem automated slightly than low-volume guide makes an attempt, so the abuse happens on a big scale that must be laborious for the platform to overlook.

BleepingComputer has contacted DocuSign to ask about their anti-abuse measures and in the event that they plan to reinforce them in opposition to the reported exercise, however a remark wasn’t instantly accessible.

Sadly, API endpoints are laborious to safe when the risk actors create industrial accounts permitting entry to those options.

Some latest examples of how hackers have abused APIs prior to now embrace verifying the telephone numbers of hundreds of thousands of Authy customers, scraping the knowledge of 49 million Dell clients, and linking e-mail addresses to 15 million Trello accounts.

Recent articles