By Alex Geoghagan, Cofense Phishing Defense Center
Given that credential phishing is often carried out through a simple URL link leading to prompts to the user for their information, it is easy to overlook some of the more subtle or exaggerated tactics that threat actors have been using to steal credentials from unsuspecting victims. Sometimes, the typical login page seen with most phish doesn’t satisfy a more dedicated threat actor. Recently, the Cofense Phishing Defense Center (PDC) observed a phish using a rather unorthodox tactic at acquiring PayPal credentials.
Figure 1: Email Body
Seen in Figure 1, at first glance, the email does not look entirely sophisticated or even seriously suspicious. The subject line indicates that the email is trying to initiate a live chat to discuss a service notice related to the target’s PayPal account. This may rush the target into attempting to have the problem resolved quickly. Despite this, the threat actor made no attempts at masking the “from” address, which the PDC identified as one that’s not associated with legitimate PayPal emails.
In Figure 1, when taking a closer look, the email body itself is rather well put together and contains links that one would expect to find in a legitimate email from any service. There is a “Help & Contact” link, as well as an (ironic) “Learn to identify Phishing” link in the body of the email, both leading to authentic PayPal links. Beyond the first clue in the sender email address, when hovering over the button labeled “Confirm Your Account,” it does not lead to a PayPal URL. It instead leads to a URL at direct[.]lc[.]chat. A user familiar with PayPal may notice at this point that they are being taken to a domain outside of PayPal, while the legitimate PayPal live chat is hosted within the PayPal domain and requires that you log in to use it.
Figure 2: Phishing Page
Upon visiting the fraudulent live chat, the threat actor utilizes automated scripts to start communication with the target. First, it will attempt to get an address, as well as an email address from the recipient, as seen in Figure 2. Second, it will attempt to get a phone number. At this point, it can safely be assumed that the threat actor is gathering this information to convey legitimacy or to collect sufficient information for authentication. The attacker will continue to use this automated script, and then step in where the script fails in order to directly interact with the victim. This is probably to reduce their own workload throughout the attack.