Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Phishers Add Chatbot to the Phishing Lure

Researchers have discovered a new approach being taken by phishers to increase victim engagement and confidence: the addition of an interactive chatbot. We have all become accustomed to the chatbots used by many of the largest service providers – they are annoying, but something we must navigate.

Researchers have discovered a new approach being taken by phishers to increase victim engagement and confidence: the addition of an interactive chatbot. We have all become accustomed to the chatbots used by many of the largest service providers – they are annoying, but something we must navigate.

The phishers hope that this reluctant acceptance of chatbots will help lower the attention of the target victim. The process is described in a new blog post.

The discovery was made at Trustwave SpiderLabs. In its own telemetry it has found just the one sample, but Karl Sigler, manager of SpiderLabs’ threat intelligence notes that since the phishers have registered a series of domains for the process, it is likely to be part of a wider campaign. 

The basic lure is the common failed DHL delivery, and the victim must still fall for this. But the victim is not immediately directed to the phishing site. Instead, the ‘please follow our instructions’ results in the delivery of a PDF with a ‘fix delivery’ button. So far, although there are red flags for the observant victim, there is nothing overtly dangerous.

If the victim clicks the button, he or she is sent to another website where the phishing chain begins with the introduction of a chatbot that promises to fix the delivery but really harvests personal data.

Phishing Chatbot Screenshot

If the target accepts the chatbot, it continues the engagement by showing the victim a photo of the damaged package, and asks for details on how to deliver. If the victim asks to schedule delivery, a false CAPTCHA is presented to further increase confidence.

The next stage is to ask for a delivery address and time. An unspecified password is requested. It really doesn’t matter what password is entered – it could be a DHL account password or the user’s email account – the phisher steals it anyway along with the delivery address and the user’s email address (which he already has). The phishing has begun but is not complete.

The chatbot explains that the additional delivery attempt is an additional service that requires payment – so a credit card payment page is displayed. The amount is small. If the victim has been taken in so far, the payment is not unreasonable. Paying for the fake redelivery gives up the phisher’s real target – bank card details.

Advertisement. Scroll to continue reading.

There then follows a strange procedure – the phisher says an OTP verification code has been sent to the victim. But the phisher hasn’t yet asked for the victim’s phone number, so this could not happen. “Putting in random characters will just redirect you to the same page stating that the security code is no longer valid,” write the researchers. “On the fifth try, however, the page redirects to another page saying that the submission was successfully received. This marks the end of the perpetrator’s phishing chain.”

We are left with a somewhat puzzling phishing attack. It seems sophisticated but lacking in some very easy detail that could improve it. It would be easy, indeed logical, to ask for the victim’s phone number for the OTP token. The fact that the chatbot is going to send a token to a phone number that hasn’t been given could be a serious red flag. At the same time, the phisher no longer really cares since he already has the details he was after.

However, an apparently functioning OTP would give the victim greater confidence in the validity of the process. With no concerns, the victim may easily give no further thought to the occurrence until non-delivery of the non-existent package (if ever) – giving the phisher ample time to collect the user details. The obviously flaky OTP process, could, however, spark sufficient concern for the victim to contact his or her bank.

This combination of sophistication with a certain level of incompleteness raises the question of whether this is really an attack methodology still in development. It is certainly possible that this sample will mark the beginning of a wider and more sophisticated use of chatbots in phishing campaigns. However, Trustwave’s Sigler has a slightly different view.

“Reading through the lines and with my experience,” he told SecurityWeek, “what this tells me is that this was a campaign first used for other purposes. They probably did have it more targeted; they probably did ask for the potential victim’s phone number and then sent them an OTP code to try and capture that. But what the phishers are doing here is they’re reusing the same infrastructure from a more targeted campaign for more general purposes. This could be some minor group that just bought this package from some malware-as-a-service or some dark web link and are trying their best to use it as they can, even though certain components of it don’t really make sense to the victims they’re targeting.”

Related: SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineering

Related: APT Group Using Voice Changing Software in Spear-Phishing Campaign

Related: FBI Warns of Phishing Attacks Targeting US Election Officials

Related: Cybercriminals Using GitHub to Host Phishing Kits

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.