Cofense PDC observed a phishing campaign that uses the LiveChat SaaS platform to impersonate brands (PayPal and Amazon) and engage victims in real-time chat to harvest credentials, credit card details, MFA codes, and PII. The campaign leverages branded chat pages and redirects (lc[.]chat and other domains) to capture data and bypass MFA, demonstrating social engineering combined with SaaS abuse. #PayPal #LiveChat
Keypoints
- Attackers send phishing emails with branded and generic lures (e.g., purported $200 refund or a pending order) that contain links acting as the initial “hook.”
- Clicking the email link directs victims to LiveChat-hosted pages (lc[.]chat) where a chat interface is used to engage victims in real time.
- In the PayPal variant the chat redirects victims to external phishing pages to collect login credentials and capture MFA codes sent to the victim’s phone.
- In the Amazon variant the chat agent directly requests email, phone number, date of birth, address, and full credit card details (number, expiry, CVC) via the chat interface.
- Collected data (credentials, MFA codes, billing and card info, PII) is intended to enable account takeover and financial fraud.
- Cofense emphasizes the evolving threat of SaaS-enabled phishing and the need for human-driven analysis via PDC to detect and stop these attacks.
MITRE Techniques
- [T1566.001 ] Spearphishing Link – Email messages contain links directing victims to LiveChat-hosted pages to begin the scam. (‘”View Transaction Details” … directed to a link hosted via LiveChat’s service – noted by the domain lc[.]chat.’)
- [T1566.003 ] Spearphishing via Service – Use of a SaaS live chat platform to conduct real-time phishing and social-engineer victims through an apparently legitimate support interface. (‘utilizing the software as a service (SaaS) LiveChat – a customer service software… this campaign engages victims through a real-time chat interface’)
- [T1589 ] Gather Victim Identity Information – Actors request PII such as phone number, date of birth, and address to make the scam appear legitimate and enable fraud. (‘verify their phone number, date of birth, and address’)
- [T1056 ] Input Capture – Attackers collect sensitive input (login credentials, credit card numbers, CVC) through chat and web forms to harvest account and payment data. (‘requests the user to provide their card number, expiration date, and CVC for “verification.”’)
- [T1078 ] Valid Accounts – Harvested credentials and intercepted MFA codes are used to take over victim accounts (e.g., PayPal) and bypass multi-factor authentication. (‘a verification code is sent to the user’s registered phone number on the account, which is then saved by the threat actor’)
Indicators of Compromise
- [URL ] Initial/phishing links and infection redirects – hXXps://www[.]govnet[.]co[.]za/?redirect=… (used to redirect to direct[.]lc[.]chat), hXXps://t[.]co/56TlmnQA0M1 (Twitter shortlink used in Email 2).
- [Domain ] Malicious payload and phishing domains – direct[.]lc[.]chat (LiveChat-hosted chat pages), paypalrefund[.]workers[.]dev (PayPal-branded phishing page), and api[.]telegram[.]org (used by actor tooling/notifications).
- [IP Address ] Observed infrastructure IPs (examples from stages/payloads) – 104.21.90.116, 172.67.200.101 (associated with lc[.]chat redirects), and 23.53.11.166 (observed with Amazon variant payloads), and 162.159.140.229 (observed with Email 2 infection URL).