New Phishing Attack Uses Malicious Chatbot For Real Time Social Engineering

Phishing with Chatbot ChumResearchers at Trustwave have observed a phishing campaign that uses a chatbot to add legitimacy to the scam. The chatbot is on a harmless website, and is designed to convince the user to visit the phishing site by striking up a conversation and walking the victim through the process.

“In general, using chatbots adds an interactive component to a website,” the researchers write. “This often results in a higher conversion rate because it makes the site more interesting and engaging for the users. This is what the perpetrators of this phishing campaign are trying to capitalize on. Aside from spoofing the target brand on the phishing email and website, the chatbot-like component slowly lures the victim to the actual phishing pages. Also, the addition of fake OTP and CAPTCHA pages makes the phishing website seem more legitimate.”

The scammers impersonate DHL and attempt to convince the user that their delivery address has been lost. The phishing page asks the user to enter their email address, password, and credit card details in order to update their delivery details.

“The credit card page has some input validation methods,” the researchers write. “One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputted. Once the victim fills out the form, clicking the ‘PAY NOW’ button will redirect the victim to a loading page, which after a few seconds will then redirect to an OTP (One-Time Password) page. The OTP is automatically generated characters (numeric or alphanumeric) which are usually sent to the user’s registered mobile number. This serves as another layer of user authentication for a single transaction or session.”

Despite the effort put into the chatbot, the researchers note that this scam is still delivered via email, and users could recognize red flags in the phishing message itself. New-school security awareness training can enable your employees to thwart innovative phishing attacks.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews