DocuSign phishing attacks have exploded in recent weeks, according to researchers.
SlashNext Email Security researchers report that From November 8 through November 14, there has been a 98% increase observed in the use of DocuSign phishing URLs compared to all of September and October.
In a Nov. 18 blog post, SlashNext Email Security said that what makes the sudden surge most concerning is that 20% of the attacks were impersonations of government organizations.
The researchers said these attacks were targeting businesses that regularly interact with state, municipal and licensing authorities in the United States.
SlashNext said they have seen impersonations of the following agencies: Department of Health and Human Services, the Maryland Department of Transportation, the State of North Carolina’s Electronic Vendor portal, the city of Milwaukee, the city of Charlotte, the city of Houston, and the North Carolina Licensing Board for General Contractors.
“This sophisticated campaign is particularly dangerous because it exploits the trusted relationship between businesses and their regulatory bodies,” wrote the SlashNext researchers.
Jason Soroko, senior fellow at Sectigo, said this case is an example of where we cannot blame the victim for being susceptible to social engineering: the victim was just following the process they have been trained and expected to follow.
“The flaw is that the victim has been given no way to verify the source of the request,” said Soroko. “It’s essentially a break in trust. This flaw will require a rethink on how to provide signature requests and it will likely mean some kind of strong authentication method.”
John Bambenek, president at Bambenek Consulting, said that one run of this campaign included a lure involving a firearms purchase, which demonstrates the attackers are getting very creative. Bambenek added that this underscores the reality that e-mail is insecure, and not securable for important or valuable transactions.
“We can try to make it more secure, however, it will never be safe enough if you are talking hundreds of thousands of dollars or more,” said Bambenek.
“One tip would be for those employees who use DocuSign regularly is to install the app on their phones as well. Whenever a legitimate DocuSign document gets routed for signature, they will get an app notification on their phone. This can provide another cue that an inbound email is a phish if an app notification doesn’t come along with it.”
