Phishers are now leveraging legitimate customer support tools, specifically the widely-used SaaS platform LiveChat, to execute sophisticated phishing attacks aimed at stealing sensitive user data. This emerging tactic bypasses traditional phishing methods, creating a more personalized and difficult-to-detect threat for consumers and businesses alike. Instead of directing users to fake websites, these attacks draw victims into a live chat interface, mimicking an authentic customer service interaction.
The campaign, identified by researchers at Cofense, utilizes social engineering to lure unsuspecting individuals. Phishing emails, masquerading as communications from major brands like PayPal and Amazon, prompt users to click links that, surprisingly, are hosted under LiveChat’s own domain, lc[.]chat. This strategic placement under a legitimate service domain lends an air of authenticity, making the fraudulent interactions far more convincing.
New Phishing Tactic Exploits LiveChat for Data Harvest
The core of this innovative phishing tactic involves creating a seemingly legitimate customer support scenario within a LiveChat window. Attackers craft emails that offer enticing lures, such as a promised refund or an order confirmation requiring immediate attention. These emails, designed to evoke curiosity or a sense of urgency, direct the recipient to click a link, typically presented as a way to “View Transaction Details” or “View Update.”
Upon clicking, the user is not taken to a deceptive website but rather immersed in a LiveChat session. In one observed variant, the interaction began with a chatbot impersonating a PayPal support agent, immediately engaging the user. Another variation, mimicking Amazon, first requested the user’s email address before an “agent” appeared, further personalizing the encounter.
Both scenarios, while having slightly different initial approaches, shared the ultimate objective: to systematically extract sensitive personal and financial information from the victim under the guise of a legitimate customer service process. Researchers noted that the language used by the “agents” in some cases was less sophisticated, containing misspellings like “Ello” and awkward phrasing, suggesting a human operator working from a pre-defined script rather than an advanced AI.
Multi-Stage Data Harvesting in Action
The data harvesting process in these LiveChat-based phishing attacks is structured in deliberate, multi-stage steps. In the Amazon-themed attack, the attacker, posing as a support agent, requested a series of personal details. These included the user’s email address, phone number, date of birth, and home address, all framed as necessary steps for identity verification. This collection of data aims to build a comprehensive profile of the victim.
Following the initial data gathering, the attacker then proceeded to request more sensitive financial information, claiming that a refund was ready but that the user’s card details were missing. The operator would then ask for the full credit card number, expiration date, and CVC code, often assuring the victim of utmost confidentiality to alleviate suspicion. This tactic exploits the trust built during the simulated customer service interaction.
The PayPal-themed variant employed a slightly different, yet equally effective, methodology. After an initial interaction within the LiveChat window, victims were directed to an external, fake PayPal login page. Here, they were prompted to enter their login credentials. Crucially, the attackers were able to capture multi-factor authentication (MFA) codes sent to the user’s phone, effectively bypassing two-factor security measures. Following successful login, a billing form would appear, requesting not only standard card details but also the user’s date of birth, further consolidating the stolen information.
A final MFA prompt would then be presented, and upon successful submission by the victim, the user would be redirected back to the LiveChat window. In this final step, the victim would receive a confirmation message that their refund was being processed, leaving them with the impression that the interaction was legitimate and successful.
The sophistication of this new phishing tactic highlights the evolving landscape of cyber threats. By co-opting legitimate communication tools, attackers are creating more convincing and harder-to-detect scams. Organizations and individuals are advised to exercise extreme caution with unsolicited emails, especially those that deviate from standard communication channels by directing users to chat interfaces for sensitive transactions. Security teams are encouraged to monitor for outbound traffic to lc[.]chat domains and block associated malicious URLs to mitigate risks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.