Cofense Logo - Email Security Solutions
  • Stop Threats

    End-to-End Email Security

    Defend your organization with a complete email security solution designed to identify, protect, detect & respond to threats.

    Security Awareness Training

    Condition your workforce against today’s latest threats and transform them into your front line of defense.

    Global Intelligence Network

    Protect your organization with our deep analysis into the current threat landscape and emerging trends.

    Cofense vs. The Competition

    See why the Cofense Intelligent Email Security suite stands out against the competition 

    Business Email Compromise (BEC)

    BEC amounts to an estimated $500 billion-plus annually that’s lost to fraud. Ensure your business is protected.

    Ransomware & Malware

    Phishing is the #1 attack vector for ransomware attacks. Stop phishing attacks in their tracks.

    Credential Theft

    Protect your user’s credentials and avoid a widespread, malicious attack.

  • Solutions

    Email Security for the Enterprise

    Complete threat protection, detection and response tailored for enterprise businesses.

    Email Security for the Mid Market

    Security awareness training + email security protection purpose-built for your mid-market organizations.

    Email Security for Managed Service Providers (MSPs)

    Best-in-Class Phishing Protection and Simulations designed for MSPs, from the ground up.

    Managed Email Security Solutions

    Protect your organization from attacks with managed services from the Cofense Phishing Defense Center™.

    Detect and Stop Attacks

    Automatically identify and quarantine email threats across your organization in minutes.

    Analyze & Remediate Reported Threats

    Accelerate threat detection and response, empowering fast resolution.

    Actionable Insight into Emerging Threats

    Protect your organization with our deep analysis into the current threat landscape and emerging trends.

    Security Awareness Training

    Condition your workforce against today’s latest threats and transform them into your front line of defense.

    Security Awareness Training + Threat Protection

    Growing companies can get protection, realistic simulations and security awareness training all in one platform.

    Easily Report Suspected Threats

    Report suspicious threats with just one click.

    Empower Your Team

    Train employees through an with award-winning Learning Management System.

  • Clients

    Industries We Serve

    Businesses from all industries rely on Cofense to safeguard their teams.

    What Our Customers Say

    Global organizations trust Cofense to protect their most critical assets.

  • Resources

    Knowledge Center Hub

    Check out our resource library of solution content, whitepapers, videos and more.

    Events & Webinars

    Come see us at a local event or join us at an upcoming webinar.

    Blog

    Stay current on cybersecurity trends, market insights and Cofense news.

    Check Your SEG

    See the real threats that are currently evading your Secure Email Gateway (SEG).

  • About

    About Cofense

    Cofense stops email security threats and protects your company through our network of 35+ Million human reporters.

    News Center

    See the latest articles, press releases and more in our news center.

    Awards

    It’s an honor to be recognized in the cybersecurity market. Check out our recent awards.

    Partners

    Grow your business, drive new revenue streams, and improve your competitive posture through our Partner Program.

    Careers

    We’re looking for passionate people to join us in our mission to stop all email security threats for organizations around the globe.

    Management Team

    Get to know our management team.

Get a Demo

PayPal Credential Phishing Accomplished through Live Chat Service

Share Now

Facebook
Twitter
LinkedIn

By Alex Geoghagan, Cofense Phishing Defense Center

Given that credential phishing is often carried out through a simple URL link leading to prompts to the user for their information, it is easy to overlook some of the more subtle or exaggerated tactics that threat actors have been using to steal credentials from unsuspecting victims. Sometimes, the typical login page seen with most phish doesn’t satisfy a more dedicated threat actor. Recently, the Cofense Phishing Defense Center (PDC) observed a phish using a rather unorthodox tactic at acquiring PayPal credentials.

Graphical user interface, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, at first glance, the email does not look entirely sophisticated or even seriously suspicious. The subject line indicates that the email is trying to initiate a live chat to discuss a service notice related to the target’s PayPal account. This may rush the target into attempting to have the problem resolved quickly. Despite this, the threat actor made no attempts at masking the “from” address, which the PDC identified as one that’s not associated with legitimate PayPal emails.

In Figure 1, when taking a closer look, the email body itself is rather well put together and contains links that one would expect to find in a legitimate email from any service. There is a “Help & Contact” link, as well as an (ironic) “Learn to identify Phishing” link in the body of the email, both leading to authentic PayPal links. Beyond the first clue in the sender email address, when hovering over the button labeled “Confirm Your Account,” it does not lead to a PayPal URL. It instead leads to a URL at direct[.]lc[.]chat. A user familiar with PayPal may notice at this point that they are being taken to a domain outside of PayPal, while the legitimate PayPal live chat is hosted within the PayPal domain and requires that you log in to use it.

Graphical user interface, application, Teams Description automatically generated

Figure 2: Phishing Page

Upon visiting the fraudulent live chat, the threat actor utilizes automated scripts to start communication with the target. First, it will attempt to get an address, as well as an email address from the recipient, as seen in Figure 2. Second, it will attempt to get a phone number. At this point, it can safely be assumed that the threat actor is gathering this information to convey legitimacy or to collect sufficient information for authentication. The attacker will continue to use this automated script, and then step in where the script fails in order to directly interact with the victim. This is probably to reduce their own workload throughout the attack.

Graphical user interface, application Description automatically generated