A new phishing strategy has emerged, leveraging legitimate customer support platforms to pilfer sensitive user data. Cybercriminals have targeted LiveChat, a popular Software-as-a-Service (SaaS) tool for real-time customer interactions, to execute sophisticated phishing schemes.
LiveChat: The New Frontier for Phishing Attacks
This campaign marks a departure from traditional phishing techniques, embracing more personalized tactics that are difficult to identify. Unlike standard phishing emails that direct users to fake login sites, this method engages victims in a live chat environment, resembling authentic support sessions from well-known brands such as PayPal and Amazon.
Through cleverly crafted emails, victims are enticed with promises of refunds or order confirmations, leading them to links hosted on LiveChat’s domain, lc[.]chat.
Social Engineering Tactics in Phishing Emails
Research by Cofense unveiled this operation through an analysis of two distinct phishing emails, each adopting a unique lure and brand. One email impersonated PayPal, suggesting a $200 refund and prompting a click on a ‘View Transaction Details’ button. The other email, lacking an immediate brand reference, claimed a pending order requiring confirmation via a ‘View Update’ link.
Both emails exploited social engineering—one leveraging financial curiosity, the other urgency and vagueness to spur action. Upon clicking, users were redirected to LiveChat-hosted pages mimicking different brands, where they faced automated or scripted chat agents requesting personal data.
Layered Data Harvesting Techniques
The data extraction process was methodical and layered. In the Amazon variant, the chat agent sought the user’s email, phone number, birth date, and address under the guise of identity verification. The interaction’s unpolished language hinted at a human operator following a scripted routine.
As the conversation progressed, the agent deceived users into providing credit card information, reassuring them of confidentiality—a typical ploy to gain trust. The PayPal version diverted victims to a counterfeit login page, capturing credentials and multi-factor authentication (MFA) codes to bypass security protocols.
Both phishing pages aimed to establish comprehensive identity and financial profiles, highlighting the need for vigilance.
Users and organizations should be skeptical of unsolicited emails concerning refunds or order verifications, especially those directing through chat links. Requests for MFA codes or financial details via chat interfaces are significant warning signs. Security teams must monitor traffic to lc[.]chat domains and block malicious URLs linked to these attacks.
