Large businesses can receive thousands of invoices each month, yet clerks generally only process in the low tens per day. Criminals have long abused this by sending fake invoices in the hopes of sliding them through the more automated or lax processes set up to deal with this workload. This has started yet another security arms race of sorts, with the latest development being the abuse of DocuSign APIs by hackers to send bogus invoices from what appears to be a trusted source.
Attackers are targeting the service’s Envelopes API to generate large amounts of fake invoices, which often skirt automated security and land in inboxes as they originate from “docusign.net” and appear to be coming from legitimate companies. But the attack adds a new layer as it allows the hackers to obtain a company e-signature and put it to use for other fraudulent billing outside of the Docusign platform.
Customers frustrated as DocuSign APIs abused by “high volume” of attacks
The trend of abusing DocuSign APIs does not appear to be limited to one attacker and has caused much consternation in the company’s community forums and other discussion outlets, as clients experience high volumes of fake invoices making it through to their inboxes.
DocuSign has responded to media stories about the incident by saying that they take the issue very seriously and have multiple technical layers of monitoring in place, but have yet to go before customers outlining exactly what new steps might be taken to curb this specific threat.
Some forum posters report receiving at least several phishing emails from the “docusign.net” domain per week in individual accounts, and that the company’s website and FAQ do not provide a clear path to reporting these incidents. The length of time and frequency with which this has been happening points to high-volume automated campaigns, with no answers from DocuSign yet as to why this has not been detected and remediated.
Hackers are aided in abusing the DocuSign APIs by having access to the platform’s design templates, which are very commonly used by businesses. The fake invoices show some psychological sophistication in tailoring these templates to look like actual bills commonly sent by companies, and in keeping the nature of the requests and the prices reasonable enough to not draw suspicion on their own. They also mix up the items on different invoices and include fake benefit and payment policy sections.
The biggest issue with the DocuSign APIs attack is that hackers don’t need to actually do any real hacking to take advantage of it. They can simply purchase a legitimate account with API access, at as low as $50 USD per month for a “Starter” plan, and then switch templates and make direct use of it. Likely they have hit upon stolen credentials that save even that modest amount.
As Richard Bird, Chief Security Officer, Traceable AI, observes: “The recent news about bad actors using legitimate DocuSign accounts to commit fraud is another classic example of how ineffective security is without context. While DocuSign and many other applications use basic measures, they typically fail to understand the difference between everyday use cases they were designed for and abuse cases where their tools are being used to cause harm. Providing pathways for using their solutions through easily accessible APIs will always yield an unintended consequence-bad guys love easy, too.”
Fake invoices part of BEC boom
The use of fake invoices and the DocuSign APIs is all part of a general boom in “business email compromise” (BEC) that has taken place in recent years; the category generally only trails ransomware among the most consistently lucrative areas of cyber crime.
Anything that aids in slipping past automated security detection is a major boost for BEC criminals, and there is little more powerful than having messages directly generated by a trusted server. The vexing thing about the situation is that the attackers are apparently within the allowed scope of use of the DocuSign APIs. While they are breaking the law by sending fake invoices, there does not appear to be an efficient system in place to detect and proactively stop this kind of abuse. The problem is at least half a year old at this point, judging by activity on DocuSign’s own community forums.
API abuse is increasingly popular among hackers, in no small part because it is often more of a terms of service violation than a crime and difficult to impossible to prosecute. It rarely yields sensitive information, but it can be used to scrape massive amounts of basic contact information that is valuable to phishing crimes. Incidents involving the private profile information of millions of accounts have taken place at Dell, Trello, Authy and Twitter among others in recent years. The misuse of the Docusign APIs will also definitely have criminals scouting for similar opportunities to worm through antivirus and antimalware shields.
The incident indicates that organizations should update anti-phishing training to note that such services can be abused to land legitimate-looking fake invoices in inboxes. Those that authorize payment will need to pay extra attention to billing details even if the invoice looks “normal” in all regards. On the provider side, rate limiting of API endpoints could help to choke off these attacks before they can begin.
Erich Kron, security awareness advocate at KnowBe4, notes some of the additional warning signs: “Because this is coming through an API exploit, there probably won’t be many signs that would be easy to spot as in a spoofed email. The easiest way to spot this is if it is asking you to renew a service that you don’t currently have, such as a specific brand of antivirus, which should stand out as a fake. Even if you do happen to have that brand of antivirus, it is always best to renew through the vendor website, or through the app itself. It is critical for people to be cautious when receiving unexpected invoices or other communications through email, text messages, or even phone calls as bad actors may sometimes combine tactics to further confuse potential victims or try to improve the believability of the scams.”
Stephen Kowski, Field CTO at SlashNext, adds: “Prioritize strategies with advanced behavioral analysis and real-time detection capabilities that can identify suspicious patterns in seemingly legitimate business workflows, especially when trusted platforms are weaponized for fraud at scale. The ability to automate these attacks through APIs means organizations need sophisticated detection systems that can analyze both the technical and contextual aspects of communications, even when they come from legitimate services and domains.”