The healthcare and public health sector (HPH) issued an alert about a continuing phishing campaign that uses the DocuSign e-signature software to impersonate popular companies. The target of the phishing campaign is to mislead company staff into allowing their billing department to authorize payments for bogus invoices.
Researchers at Wallarm discovered the campaign at the beginning of December. The threat actor doesn’t seem to be focusing on any particular industry but the Health Sector Cybersecurity Coordination Center (HC3) has released a sector warning since the threat activity is likely to impact the HPH sector, which was previously targeted in identical bogus invoice phishing campaigns.
As per the researchers, the attacker uses the DocuSign Envelopes API to make and mass-deliver bogus invoices that seem to be mailed by businesses like Norton and PayPal. The invoices look real and contain correct pricing data for the items. For example, one invoice was created for the Norton LifeLock 360 all-in-one security suite. The $298 invoice included $249.00 for using the product for 1 year by 2 users and an extra $49.00 fee for activation. The researchers intercepted other emails that included direct wire directions or purchase orders. The attacker tries to mislead the receiver into e-signing the invoice and sending it to the billing section for payment.
Because the documents are delivered via the real DocuSign platform, the emails seem legit and won’t be stopped or flagged by email security software since a reputable service sent them and don’t contain malicious hyperlinks or file attachments. Because the emails will probably get through to end users, it is necessary to increase scam awareness through security awareness, or HIPAA training. Staff must be informed to check any emails they get and to be skeptical of any uncommon invoice requests.
Inspections must be performed on the email address of the sender and any connected accounts for legitimacy, and staff must be cautious against any issues in emails, for example, using a last name without a capital letter. When the Docusign envelope’s sender is not identified, or the email message is suspicious, users must find the unique security code at the end of the Docusign envelope email notice. When it isn’t found, never click on any hyperlink, don’t open any attached files, and get rid of the email.
Healthcare companies must also enforce strict guidelines and procedures for authorizing acquisitions and financial orders and when possible, those inspections should include several team members. When receiving a suspicious email from DocuSign, the message must be sent to spam@docusign.com and the email must be deleted.