PayPal Credential Phishing Accomplished through Live Chat Service

By Alex Geoghagan, Cofense Phishing Defense Center

Given that credential phishing is often carried out through a simple URL link leading to prompts to the user for their information, it is easy to overlook some of the more subtle or exaggerated tactics that threat actors have been using to steal credentials from unsuspecting victims. Sometimes, the typical login page seen with most phish doesn’t satisfy a more dedicated threat actor. Recently, the Cofense Phishing Defense Center (PDC) observed a phish using a rather unorthodox tactic at acquiring PayPal credentials.

Graphical user interface, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, at first glance, the email does not look entirely sophisticated or even seriously suspicious. The subject line indicates that the email is trying to initiate a live chat to discuss a service notice related to the target’s PayPal account. This may rush the target into attempting to have the problem resolved quickly. Despite this, the threat actor made no attempts at masking the “from” address, which the PDC identified as one that’s not associated with legitimate PayPal emails.

In Figure 1, when taking a closer look, the email body itself is rather well put together and contains links that one would expect to find in a legitimate email from any service. There is a “Help & Contact” link, as well as an (ironic) “Learn to identify Phishing” link in the body of the email, both leading to authentic PayPal links. Beyond the first clue in the sender email address, when hovering over the button labeled “Confirm Your Account,” it does not lead to a PayPal URL. It instead leads to a URL at direct[.]lc[.]chat. A user familiar with PayPal may notice at this point that they are being taken to a domain outside of PayPal, while the legitimate PayPal live chat is hosted within the PayPal domain and requires that you log in to use it.

Graphical user interface, application, Teams Description automatically generated

Figure 2: Phishing Page

Upon visiting the fraudulent live chat, the threat actor utilizes automated scripts to start communication with the target. First, it will attempt to get an address, as well as an email address from the recipient, as seen in Figure 2. Second, it will attempt to get a phone number. At this point, it can safely be assumed that the threat actor is gathering this information to convey legitimacy or to collect sufficient information for authentication. The attacker will continue to use this automated script, and then step in where the script fails in order to directly interact with the victim. This is probably to reduce their own workload throughout the attack.

Graphical user interface, application Description automatically generated

Figure 3: Phishing Page

After the phone number has been acquired and an attempt to verify the email address has been made, it will try to get credit card information from the target as seen in Figure 3. Finally, a verification code is sent via SMS to the target using the phone number provided earlier. By using this code, it can be inferred that the phone number given by the victim is live and the target is the individual who has access to the device.

Graphical user interface, application, Teams Description automatically generated

Figure 4: Phishing Page

As seen in Figure 4, after acquiring the right amount information from the target, the threat actor will supposedly attempt to call their target. However, as they stated, they will only call the target if they are able to verify the entirety of information given to them.

In conclusion, this attack demonstrates the complexity of phishing attacks that go beyond the typical “Forms” page or spoofed login. In this case, a carefully crafted email appears to be legitimate until a recipient dives into the headers and links, which is something your average user will most likely not do. For cases such as this, it’s paramount to give your employees the protection they need, especially when crimeware passes by secure email gateways. This is where Cofense steps in. Our analysts and technology consistently – and constantly – catch and mitigate threats that turn up in environments protected by SEGs. With Cofense Managed Phishing and Defense, organizations can get a full view of phishing attacks, as well as a comprehensive solution. To learn more about what Cofense can do, contact us.

Indicators of Compromise IP
hXXps://direct[.]lc[.]chat/12924651/ 23.212.251.151
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Reporting Matters – even for a Smishing Message

By Tonia Dudley, Strategic Advisor – Cofense

With the increased use of mobile devices to manage so much of our lives, it’s no surprise scammers have moved to this medium to target your sensitive information. If you have a mobile phone, then you’ve most likely experienced smishing. Smishing is a phishing message received via an SMS text message. Just like an email phishing attempt, the scammers are targeting your sensitive information.

Similar to what you might experience in your email, these messages are using emotional triggers to entice you to interact with the links. The themes are typically targeting your personal information such as your username and password, credit card number or national ID.

Below are just a few examples I received over a few months. What was interesting as I monitored these messages was to see a couple of the messages were addressing me as Jesse!

Just as we encourage reporting suspicious email messages to your organization’s security team or the company being spoofed, it’s just as important to report these messages. Below are the steps to report these to your phone provider:

How to report a Smishing txt or SMS?

  • Forward suspicious SMS messages to 7726:
    • When you receive a spam txt message on your phone, forward that text to the short code 7726 (which spells “SPAM”).
    • You’ll then receive an automated message from your wireless carrier asking you then to enter the phone number from which the spam text was sent

How to forward an SMS:

iOS: https://support.apple.com/en-us/HT208386

Android: https://www.androidauthority.com/how-to-forward-a-text-message-870759/

This blog post originally appeared July 20, 2021, on the National Cybersecurity Alliance website. It is reprinted with permission. To learn more about smishing and defensive tactics, read our blog, “Thinking of Smishing Your Employees? Think Twice.”

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

HTA Files Distributed as Fake Chrome Patches for CVE-2021-30554

By Elmer Hernandez, Cofense Phishing Defense Center

With new vulnerabilities come new updates and patches. Organizations have complex environments making it difficult to roll out patches quickly and often find themselves in a race to patch systems before threat actors can exploit them. Attackers are aware of this delayed timing and may try take advantage of this patching cycle time. The Cofense Phishing Defense Center (PDC) has spotted such an attempt, with an email delivering an HTML application (HTA) file attachment being distributed as fake patches for a new vulnerability affecting the Chrome web browser.

The email was received by one of our PDC customers with well-conditioned users who quickly report. It warns the user about a recently reported vulnerability in Google Chrome and a corresponding update for the employee to apply. A web browser like Chrome is a vital everyday tool for employees across several industries, so threat actors urge recipients to apply the update within 48 hours or functionality may cease (Figure 1). However, any seasoned Chrome user knows these updates are available directly within Chrome, and enterprise users know their IT department manages pushing out software updates.