Hackers target DocuSign with new phishing threat — watch out, you could be signing your data away

 Electronic Signature.
Electronic Signature.

Hackers are stealing people’s DocuSign accounts to make their Business Email Compromise (BEC) attacks seem more authentic, and thus, more successful.

A report from cybersecurity researchers at Abnormal, say they observed an uptick in attacks looking to steal people’s DocuSign login credentials.

As per the report, it all starts on a dark web forum, where a hacker creates, and then sells, credible-looking DocuSign notification email templates. These templates are picked up by other threat actors, which use them to try and trick people into attempting to view, or sign, an important document. That is when the attackers obtain the victims’ DocuSign login credentials which are then either sold back on the dark web, or used in the second stage of the attack.

Business email compromise

The second stage includes sifting through the documents found in the victim’s DocuSign account. People often store sensitive and confidential information there, so the hackers start looking for contracts, vendor agreements, or upcoming payment information. That way they can identify high-value targets and formulate the right type of approach for maximum efficiency. They often also look for compromising information which could be used in blackmail.

If the right type of information is found, the attackers will proceed to impersonate the company, send fake emails to business partners, clients, and similar, asking for some form of payment or fund transfer. To make the attack even more credible, the hackers will often add fake contracts through the compromised DocuSign account, and time the emails in such a way that it doesn’t raise too many alarms.

As with any other phishing attack, the best way to defend is to be skeptical of incoming email, especially if they carry links, attachments, and a sense of urgency. Phishing emails often come from unrelated domains, so cross-checking the email address from which the message came is always a good place to start.

More from TechRadar Pro