Hackers are stealing people's DocuSign accounts to make their business email compromise (BEC) attacks appear more authentic and therefore more successful.
A report from cybersecurity researchers at Abnormal says they saw an increase in attacks seeking to steal people's DocuSign login credentials.
According to the report, it all starts on a dark web forum, where a hacker creates and then sells credible-looking DocuSign notification email templates. These templates are picked up by other threat actors, who use them to try to trick people into trying to view or sign an important document. This is when attackers obtain victims' DocuSign login credentials, which are then sold again on the dark web or used in the second stage of the attack.
Business Email Engagement
The second stage includes examining the documents found in the victim's DocuSign account. People often store sensitive and confidential information there, so hackers start looking for contracts, agreements with suppliers or information about upcoming payments. That way they can identify high-value targets and formulate the right type of approach to achieve maximum efficiency. They also often look for compromising information that can be used for blackmail.
If the right type of information is found, attackers will proceed to impersonate the company, sending fake emails to business partners, customers, and the like, requesting some form of payment or transfer of funds. To make the attack even more credible, hackers often add fake contracts through the compromised DocuSign account and schedule the emails in such a way that they do not raise too many alarms.
As with any other phishing attack, the best way to defend yourself is to be skeptical of incoming email, especially if it contains links, attachments, and a sense of urgency. Phishing emails often come from unrelated domains, so checking the email address where the message is coming from is always a good starting point.
