Cybercriminals Exploit Docusign with Customizable Phishing Templates

Originally published by Abnormal Security.

Written by Daniel Kelley.

Over the past month, we've noticed a surge in Docusign phishing emails targeting our customers. To further investigate this issue, we took one of the recent attacks stopped by Abnormal and searched for it on cybercrime forums and networks. Eventually, we discovered an identical template being distributed on a Russian cybercrime forum.

Docusign Attacks On The Rise

Phishing attacks exploiting Docusign have witnessed a concerning uptick. These fraudulent emails, meticulously designed to mimic legitimate document signing requests, lure unsuspecting recipients into clicking malicious links or divulging sensitive information. The recent rise in these attacks can be attributed to several factors, including the widespread adoption of the platform across various industries, its trusted reputation, and, most significantly, the increasing sophistication of cybercriminal tactics.

Example of a Docusign phishing email

How Cybercriminals Are Exploiting Docusign

Sophisticated cybercriminals are leveraging the anonymity of the dark web to trade Docusign templates, a disturbing trend that underscores the evolving nature of digital fraud. These templates closely resemble authentic Docusign documents and are sold to facilitate a range of malicious activities, including phishing attacks, identity theft, and financial fraud.

When we searched cybercrime forums and networks for Docusign templates similar to the ones used in attacks targeting Abnormal customers, we discovered the following thread on a Russian cybercrime forum.

A Docusign phishing template being shared on a cybercrime forum

Further down in the thread, it was revealed that the user was offering custom template modifications for a fee. They also posted a template for DHL and promised not to resell the templates if ordered. Browsing the user's profile revealed little information, except for a strong interest in spamming activities, which did not lead us anywhere. However, searching for similar templates on the cybercrime forum and other networks revealed that a large number of these templates are readily available for purchase.

Multiple phishing templates being shared on a cybercrime forum

Why Do Cybercriminals Want Docusign Templates?

When launching a phishing campaign, cybercriminals prioritize authenticity in order to maximize success. They have two options: buy templates from reputable sellers on cybercrime forums or sign up for the targeted service (such as Docusign) to get genuine templates directly. However, both options pose unique challenges.

Purchasing templates from reputable sellers saves time and effort, but the seller must be able to accurately replicate the template while maintaining exclusivity. Obtaining templates directly from the targeted service, on the other hand, ensures authenticity but takes time, necessitates manual replication, and poses a risk to the cybercriminal's privacy.

Many cybercriminals lack the technical proficiency required to create convincing phishing templates from scratch. Purchasing ready-made templates is a practical solution that allows them to concentrate their efforts on carrying out the phishing campaign rather than devoting valuable resources to template creation.

Phishing products and letters sold in bulk for cybercriminals

Cybercriminals frequently launch multiple phishing campaigns at the same time, focusing on different vendors and services. Creating a unique template for each target would be extremely resource-intensive. Instead, cybercriminals can streamline their operations and increase their profits by purchasing templates in bulk or outsourcing their creation.

What Do Cybercriminals Do With Stolen Docusign Credentials?

Cybercriminals are usually secretive about their operations, but some online chatter reveals how they make money by using stolen Docusign credentials obtained through phishing campaigns. The most popular method appears to be business email compromise (BEC)—this usually involves a few steps.

A cybercriminal looking for US partners for a Docusign BEC fraud scheme

First, cybercriminals buy stolen Docusign logins on cybercrime forums and networks for as little as $10, gaining access to a company's account. Then, they carefully review all of the stored files, looking for contracts, vendor agreements, and upcoming payment information. This helps them figure out who to target and how to make their scams appear legitimate. In addition, they look for any information that could be used to blackmail the company.

Using the information gathered, the scammers impersonate the company they hacked and send fake emails to the company's business partners, requesting that they transfer funds to a different account controlled by the cybercriminals. To make these emails appear even more legitimate, scammers frequently attach fake contracts via the hacked Docusign account, timing these emails around when real payments are due to make the fraud more difficult to detect.

If the scam is successful, large payments intended for legitimate vendors are diverted to cybercriminals instead, potentially earning them hundreds of thousands of dollars from a single successful business-to-business (B2B) payment scam. Hacked Docusign accounts are also a goldmine for corporate espionage, as cybercriminals can profit handsomely by selling information about upcoming mergers, financial records, client lists, and other sensitive data to other entities.

Many documents stored in Docusign contain sensitive and confidential information. If cybercriminals discover this type of data while snooping, they may resort to blackmailing the company by threatening to release the information publicly unless a large ransom is paid. This puts businesses in a difficult situation, forcing them to either pay up or risk reputational harm and legal trouble.

5 Ways To Detect a Docusign Phishing Email

To protect yourself from falling victim to Docusign phishing scams, keep an eye out for these key indicators:

1. Check the sender's email address: Authentic Docusign emails always originate from the docusign.net domain. Be wary of generic greetings or incorrect spelling and grammar.
2. Watch out for impersonal greetings: Phishing emails frequently use generic salutations, whereas legitimate Docusign emails address you by name.
3. Verify the security code format: Docusign security codes are long and complex, like EA66FBAC95CF4117A479D27AFB9A85F01. Short or simple codes likely indicate a phishing attempt.
4. Inspect links before clicking: Hover over links to see their destination URLs. Genuine Docusign links go directly to docusign.net. Be wary of emails that include Google Docs/Drive links or attachments.
5. Use Docusign's secure document access: Instead of clicking links in suspicious emails, go directly to docusign.net, click "Access Documents," and enter the security code provided at the bottom of Docusign emails.

If you are unsure about the authenticity of a Docusign email, contact the intended sender via a different, trusted communication channel to confirm before proceeding. When it comes to protecting your sensitive information and devices from phishing attempts, it's always a good idea to be on the safe side.