By Cobi Aloia and Mark Deomampo, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) has recently identified a unique phishing campaign utilizing the software as a service (SaaS) LiveChat - a customer service software featuring live messaging and AI to provide a line of support for businesses. Unlike typical refund scams or credential phish, this campaign engages victims through a real-time chat interface, impersonating well-known brands in order to harvest sensitive data such as account credentials, credit card details, multi-factor authentication (MFA) codes, and other personally identifiable information (PII).
Figure 1-2: Email 1 and Email 2 Body
The email bodies shown in Figures 1 and 2 each have unique lures. Figure 1 shows the threat actor using a spoofed PayPal template, indicating that the user is to receive $200.00 USD to their account. This is followed by a hyperlinked button labeled “View Transaction Details”, acting as the “hook” in this phishing email.
Figure 2 is much more generic, lacking a brand, unlike the previous. The body states that an order is pending and needs confirmation, which the user can do by clicking on the hyperlinked “View Update” text.
While differing in context, both emails leverage social engineering techniques to manipulate the user, increasing the likelihood of a successful phish. The first email uses a refund of $200 to exploit curiosity and the desire for financial gain. The second email instead employs a sense of urgency accompanied by curiosity, as there’s no branding available for the user to differentiate between a real order they placed or otherwise. In clicking the “hook” in the emails shown above (“View Transaction Details” and “View Update”), the user is directed to a link hosted via LiveChat’s service – noted by the domain lc[.]chat. The configuration of these pages differs slightly, where the first email is branded as PayPal, while the second email is branded as Amazon. Previously, the text body of the second email gave no indication as to what service or brand it was from. The PayPal branded page appears to be using an AI or automated response setup, as the message shown below is sent upon loading the website. On the other hand, the Amazon branded page asks for your email address before communication can begin via LiveChat’s chat box.
Figure 3-4: Email 1 - LiveChat Prompt
After responding to the message in the chat box, the PayPal branded LiveChat bot directs the user to an external website to “complete the process {of receiving the $200 refund}.” The Amazon LiveChat messenger chooses a different approach by utilizing the chat box and guise of talking to an Amazon “customer service employee” to harvest the credentials, card information, and PII of the user.
Figure 5-6: Email 2 - LiveChat Prompt
In the Amazon version of this threat, the threat actor responds with an “Unlock your Pending Refund” prompt, a generic greeting, and a request to confirm the email. If confirmed, the agent asks the user to verify their phone number, date of birth, and address to make the exchange feel legitimate. The language is noticeably rough and unprofessional with misspellings such as “Ello” and punctuation errors such as “ “Hello !” and “Open chat !!”, signaling a scripted, non-genuine interaction – one by an actual human rather than AI or automated responses.
As the chat progressed, the agent claimed that a refund of $200.00 was available but that the user’s card details were “not on file.” The attacker then requests the user to provide their card number, expiration date, and CVC for “verification.” To add legitimacy, the message even included a reassurance that the information would be “handled with the utmost confidentiality” a common tactic to lower suspicion.
Figure 7-8: Email 2 - LiveChat Harvesting
Despite the convincing layout and polite tone, this stage of the scam exposes the true intent to harvest full credit card details directly through the chat. Using a live chat platform makes the phishing attempt feel like real-time customer service, reducing the victim’s caution and increasing the chance of successful credential and data theft.
Figure 9-10: Email 1 - Phishing Page and PayPal MFA
In the PayPal version of this threat, clicking the link sent within the LiveChat chat box takes the user to an external URL asking them to log in to their PayPal account. From here, a verification code is sent to the user’s registered phone number on the account, which is then saved by the threat actor in order to quickly gain access and bypass multi-factor authentication securities.
Figure 11-12: Email 1 - Billing Details and CC Information
Once the user inputs the MFA code, they are directed to another form where “billing” information is gathered for “security purposes”. Oddly enough, the threat actor included a line for users’ date of birth, an unconventional ask for typical billing questions. The data gathered in this form is just another way for the threat actor to gain and keep access to your account and credit cards (see figure 12).
After verifying the user’s billing details, another form is presented, asking for payment verification to complete the refund process. The credit card information gathered in this form would be used in conjunction with the billing information in the previous form, to compromise and drain the user’s financials, as well as using the data to verify and take control of their PayPal account.
Figure 13-14: Email 1 - CC MFA and Confirmation Message
The last piece of data that is asked for in this threat, is another MFA code sent to the mobile number on the account. This is likely a repeat attempt of the previous code verification to gain access to the PayPal account associated with the phone number the user provided during the billing form. Lastly, the user is redirected back to the LiveChat, where the messenger assures that a refund will be received.
Today’s phishing threats are no longer easy to spot. Threat actors constantly refine their tactics, crafting messages that can slip past automated detections and appear legitimate, even to cautious users. In this blog, we highlighted two threats that combine brand impersonation, social engineering, credential theft, identity theft, and other techniques that demonstrate the rapid evolution and integration of threats. These cases highlight why human-driven analysis remains essential. With Cofense, a dedicated Phishing Defense Center (PDC) bridges that gap — combining expert-level threat hunters, real-time intelligence, and user reports to identify and stop evolving attacks before they cause harm. In a threat landscape that changes daily, having a PDC is not just an advantage; it is a necessity. Schedule a demo today to learn more.
Email 1 (PayPal) IOCs:
Stage 1 - Observed Email Infection URL: | Infection URL IP(s): |
hXXps://www[.]govnet[.]co[.]za/?redirect=hXXps%3A%2F%2Fdirect[.]lc[.]chat%2F19449368 | 104.21.90.116 172.67.200.101 |
Stage 2 – Observed Payload URL(s): | Payload IP(s): |
hXXps://direct[.]lc[.]chat/19449368 hXXps://www[.]paypalrefund[.]workers[.]dev/en?utm_medium=chat&utm_campaign=link-shared-in-chat&utm_source=livechat[.]com&utm_content=direct[.]lc[.]chat hXXps://api[.]telegram[.]org/bot8584408242:AAGFK13zX70Zq_ezkA-BUAr-x6Jn308BlmI/sendMessage | 23.48.203.38 104.21.20.86 149.154.166.110 23.48.203.39 172.67.192.3 |
Email 2 (Amazon) IOCs:
Stage 1 - Observed Email Infection URL: | Infection URL IP(s): |
hXXps://t[.]co/56TlmnQA0M | 162.159.140.229 |
Stage 2 – Observed Payload URL(s): | Payload IP(s): |
hXXps://direct[.]lc[.]chat/19252309 | 23.53.11.166 23.53.11.176 23.53.11.168 23.53.11.171 |
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.