Phishing Campaign Uses Live Chat, Leverages PayPal BrandEmails Contain Legitimate Links That Lead to Authentic PayPal Site
In a new phishing scam that leverages the PayPal brand, attackers are using automated scripts and live chat as a way of compromising devices and bypassing secure email gateways.
The attackers' unusual techniques point to the need for organizations to ramp up defenses against these types of attacks, which eventually could target employees' credentials.
Researchers at the Cofense Phishing Defense Center says they "observed a phish using a rather unorthodox tactic of acquiring PayPal credentials."
The researchers found that the campaign not only creates a typical “forms” page or spoofed logins, but also uses a carefully crafted email that appears to be legitimate unless a recipient dives into the headers and links.
The subject line notes that the email is trying to initiate a live chat to discuss a service notice related to the target’s PayPal account.
"This may rush the target into attempting to have the problem resolved quickly. Despite this, the threat actor made no attempts at masking the “from” address, which the PDC [Primary Domain Controller - a service in a Windows server that manages security for its local domain] identified as one that’s not associated with legitimate PayPal emails," says Alex Geoghagan, security researcher at Cofense Phishing Defense Center.
The malicious email also contains a “Help & Contact” link as well as a “Learn to Identify Phishing” link, both leading to authentic PayPal links.
But, Geoghagan notes, "when hovering over the button labelled “Confirm Your Account,” it does not lead to a PayPal URL. It instead leads to a URL at direct[.]lc[.]chat. A user familiar with PayPal may notice at this point that they are being taken to a domain outside of PayPal, while the legitimate PayPal live chat is hosted within the PayPal domain and requires that you log in to use it."
When a victim visits the fraudulent live chat, the threat actor utilizes automated scripts to start communication. The attacker initially attempts to get an email address and phone number from the victim. "It can safely be assumed that the threat actor is gathering this information to convey legitimacy or to collect sufficient information for authentication," according to the Cofense report.
"The attacker will continue to use this automated script, and then step in where the script fails in order to directly interact with the victim. This is probably to reduce their own workload throughout the attack," Geoghagan states.
Once the threat actor acquires the phone number and an attempt to verify the email address has been made, the attackers then will try to get credit card information from the target, the Cofense report notes.
"Finally, a verification code is sent via SMS to the target using the phone number provided earlier. By using this code, it can be inferred that the phone number given by the victim is live and the target is the individual who has access to the device," the researchers note. "After acquiring the right amount of information from the target, the threat actor will supposedly attempt to call their target. However, as they stated, they will only call the target if they are able to verify the entirety of information given to them."