Hacker Spree of Fake Invoices Stems From Permissive DocuSign APIs

by | Nov 12, 2024

DocuSign has attempted to make easy and convenient invoicing one of the central features of its platform, but the loose standard may be feeding an explosion in fake invoices. Hackers are using the DocuSign APIs to forge authentic-looking fake invoices for payment, but the term “hacking” is used loosely here as it is something that any paying customer with Envelopes API access could do.

Little that security software can do to fight fake invoices

A mass mailing of fake invoices would usually be sufficient to trip malware and virus detection software, preventing the attempts from ever landing in inboxes. But access to the DocuSign APIs is allowing attackers to slide them right through the shields, with the backing of the trusted “docusign.net” domain.

Complaints on Docusign’s customer forums indicate the problem has been going on for at least a few months and impacted users are now seeing at least a few fake invoices make it into their inboxes each week. While the company obviously does not allow the DocuSign APIs to be used for fraud attempts, it also does not seem to have an answer to stopping paying customers from abusing the system in this way.

Business email compromise (BEC) should already be on the radar of all IT security teams, but the use of DocuSign APIs to sneak through automated security (or any similar APIs that can also be abused in this way) is something that should probably be briefed to employees as a part of regular anti-phishing training. If the problem becomes acute enough, organizations might consider changing policy to only pay through the vendor’s app or website.

DocuSign APIs open to any criminal with a subscription

It would appear multiple attackers are abusing the DocuSign APIs and delivering a high volume of attacks, as there is essentially nothing to stop them from doing so. DocuSign has told the media that they are aware of the situation and are taking it very seriously, but at the moment the only thing one needs to start firing off fake invoices is a working account with Envelopes API access. Those plans start at $50 USD per month, if a threat actor does not already have some stolen credentials to abuse.

Phishing training should note that the attackers are also not indiscriminate in their attacks. Examples shared through forums thus far note that the fake invoices are mocked up to look like those from legitimate business partners, keep the requested amounts reasonable and realistic, and change line items out for multiple attempts.

It is unclear if or when the problem will be solved. The DocuSign APIs are essentially optimized for convenience and ease of use over security, and it would be difficult for the company to retool the system at this point. The security burden is falling heavily on the side of recipients that otherwise have legitimate business with the service, with companies now forced to improve and tweak defensive capabilities for threats of this nature.

Recent Posts

How can we help?

13 + 11 =

× How can I help you?