New DocuSign Phishing Campaign
The Malicious Actors Are Targeting Non-executive Employees in This Scenario.
Phishing attacks that have as victims non-executive employees with access to sensitive corporate information are becoming more common.
According to the researchers at Avanan, half of all phishing emails analyzed in the previous several months have impersonated non-executives, while 77% targeted staff on the same level.
A New Approach
Previously, the targeted phishing attempts were trying to fool business people as the phishing actors would imitate CEOs and CFOs. This type of malicious activity is also known as CEO fraud.
In this type of activity after collecting the necessary data, attackers will behave as the company’s CEO or any high-level executive and send an email to employees in finance, requesting money transfers to the account they control.
It seems logical to use this approach since giving orders and making urgent requests as a high-ranking employee improves the likelihood of the receiver complying with these communications.
It’s quite interesting to note that now phishing actors have shifted their attention towards lower-ranking workers who may nonetheless serve as good entry points into business networks as CEOs became more attentive and security teams in major organizations placed additional measures around those “important” accounts.
Security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. At the same time, non-executives still hold sensitive information and have access to financial data. Hackers realized, there is no need to go all the way up the food chain.
Let’s say that an employee who is having access to internal financial systems receives an urgent request to update the direct deposit file information for the impersonated sender, in this way creating a fake sense of urgency.
The employee might feel intimidated and try to resolve the situation quickly, in this way endangering the data, as he is not paying attention to any details that might make him think the request is a scam.
The malicious actors offer DocuSign as an alternate signing option in their emails, urging recipients to enter their credentials to view and sign the document.
Despite the fact that these emails appear to be from DocuSign, they are not.
You should remember that users are never prompted for passwords in genuine DocuSign communications; instead, the receiver will get an authentication number through email.
In the midst of their regular tasks, some employees are likely to be fooled by this message and misinterpret it as a legitimate DocuSign request, providing their email credentials and turning them over to the phishing actors.
When an email arrives in your inbox, it is critical to examine it for any indications of deception. Unsolicited files, spelling mistakes, and requests for your credentials should all be regarded with caution.
DocuSign-themed phishing attempts are not really new, and many threat actors have exploited them to steal login credentials and spread malware.