Scams & Phishing News Phishers Abuse LiveChat Support Tools to Steal Sensitive Data in New SaaS-Based Attack Tactic

[Parkinsond]

Content source

https://cybersecuritynews.com/phishers-abuse-livechat-support-tools/

Unlike typical phishing emails that drop users onto fake login pages, this approach places victims inside a live chat window, where they believe they are speaking with a real support agent from brands like PayPal or Amazon.

Data collection in this campaign unfolded in deliberate, layered steps. In the Amazon version of the threat, the chat agent asked for the user’s email address, phone number, date of birth, and home address — all framed as routine identity verification.

The language was noticeably rough, with misspellings like “Ello” and awkward punctuation throughout, suggesting a human operator working from a scripted playbook rather than an automated system.

As the chat continued, the agent claimed a $200.00 refund was ready but that the user’s card details were not on file.
The PayPal variant took a different path. After the chat bot shared an external link, victims were taken to a fake PayPal login page where they entered their credentials.

The attacker captured the MFA code sent to the user’s phone, using it to bypass two-factor authentication.

Phishers Abuse LiveChat Support Tools to Steal Sensitive Data in New SaaS-Based Attack Tactic

Phishers abuse LiveChat SaaS to pose as PayPal or Amazon support, tricking victims in live chats into revealing sensitive data.

cybersecuritynews.com

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
Threat actors are actively abusing the legitimate LiveChat SaaS platform to host credential harvesting operations via convincing customer support interfaces.

Assessment
Because the malicious chat windows are hosted on legitimate infrastructure, this technique likely bypasses standard reputation-based email and web filters, making user awareness the primary line of defense.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.002
Phishing: Spearphishing Link (Delivery Vector).

T1584.006
Compromise Infrastructure: Web Services (Hosting).

T1111
Two-Factor Authentication Interception (Payload action).

CVE Profile
NVD Score: N/A | CISA KEV Status: Inactive. (This attack relies on the abuse of legitimate services rather than a software vulnerability).

Telemetry

String Literals (Anchors)
lc[.]chat
View Transaction Details
View Update

Constraint
The structure resembles a multi-stage credential harvester. Since no binary analysis or packet capture is provided, the presence of a secondary malware payload dropping to disk remains Unknown and is currently assessed as Low probability based strictly on the provided text.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Update Acceptable Use Policy to explicitly warn against providing PII, CC numbers, or MFA codes via live chat widgets.

DETECT (DE) – Monitoring & Analysis

Command
Monitor for outbound traffic to lc[.]chat domains originating from suspicious or unexpected network segments.

RESPOND (RS) – Mitigation & Containment

Command
Block access to known malicious subdomains or specific URL paths associated with the campaign on the corporate web gateway.

Command
Isolate affected user accounts and force active session revocation if credential compromise is suspected.

RECOVER (RC) – Restoration & Trust

Command
Validate clean state of affected user accounts by auditing recent sign-in logs for anomalous IP geographies.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Integrate this specific SaaS-abuse vector into the next quarterly security awareness training cycle.

Command
Enforce FIDO2/WebAuthn hardware tokens where possible to neutralize MFA-interception techniques.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Do not log into banking/email until verified clean.

Note
"Disconnect from the internet immediately" is not mandated here as the Environmental Reality Check confirms this is a web-based threat, not an active network worm or RCE exploit.

Priority 2: Identity

Command
Reset passwords and MFA parameters for PayPal, Amazon, and primary email accounts using a known clean device (e.g., phone on 5G).

Command
Contact financial institutions to monitor or freeze credit cards if details were submitted into the chat widget.

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions. (While the evidence suggests a purely web-based attack, verifying browser extensions ensures no session-hijacking add-ons were stealthily installed).

Hardening & References

Baseline
CIS Controls v8 - Control 14 (Security Awareness and Skills Training).

Framework
NIST CSF 2.0 / SP 800-61r3 (Incident Response).

Hardening Principle
Phishing-resistant MFA (e.g., YubiKey) is mathematically superior to SMS or App-based OTPs, as it cryptographically binds the authentication attempt to the legitimate domain, preventing interception by man-in-the-middle infrastructure like the one described in this campaign.

Source

Cofense Threat Intelligence Blog (Primary Source)

CyberSecurity News Article 1

CyberSecurity News Article 2