"An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly. The attacker employs a specially crafted template mimicking requests to e-sign documents from well-known brands," warned bug finders at security shop Wallarm.
"Because the invoices are sent directly through DocuSign's platform, they look legitimate to the email services and spam/phishing filters. There are no malicious links or attachments; the danger lies in the authenticity of the request itself."
"According to the FBI, BEC scammers have made $2.9 billion from US businesses in 2023 - and that's just from the reported cases. There are undoubtedly a few embarrassed businesses that just decided to swallow the loss."
"As ever, the key protections are checking the sender's address and the payment details. It's a pain, but vigilance is the most effective way to defeat cyber scum."
Collection
[
|
...
]