Hackers impersonate live chat support agents in new phishing scam

Hackers have come up with a new phishing scam – this time pretending to be legitimate live chat agents for companies like Etsy and Upwork – and tricking unsuspecting victims into handing over their credit card and banking information.

These phishing attacks are said to exploit the inherent trust that users place in live chat support. That's according to a new research blog released Wednesday by US-based cybersecurity firm Perception Point.

What makes this particular phishing campaign unique is that it involves real-live humans providing real-time responses to victims instead of canned responses from a scripted bot, Perception Point reveals.

“This human element adds a new layer of deception, making them increasingly harder to identify,” the research team said.

The scammers are said to primarily target small business owners – such as Etsy sellers or Upwork freelancers – who sell their goods and services on the marketplace platforms.

Etsy fake phishing payment page
Fake Etsy payment page. Image by Perception Point.

Live chat phishing

The research shows the hackers first create a fake web page identical to the platform’s payment page. This is where the business owner would typically collect money earned from product sales.

When the targeted victim clicks on a button to verify the payment, they encounter another fake page which appears to be from one of the more popular payment processing platforms known as Stripe.

Once on the “spoofed Stripe page,” the victim is prompted to enter their credit card information, but when they press submit, they get an error message instead.

Perception Point says at this stage of the phish, a victims “credentials are as good as gone, sent straight to the attacker.”

Spoofed Stripe page
Spoofed Stripe payment processing page. Image by Perception Point.

This is where the phish gets even more malicious and convincing.

On the fake Stripe page is a live chat support button that will connect the victim to a human agent – ready to steal even more sensitive information.

“The phisher on the other end posed as the spoofed site’s support. When our researchers engaged with the chat, they were strictly instructed to click on the link provided and enter their bank details,” Perception Point said.

The phishing kit was described by the researchers as “sophisticated” and “versatile” because the code provided the hacker with spoofing templates that could be used repeatedly and with multiple platforms, including Etsy, Reverb, Behance, and more.

“One iteration even uses a PNG file with a QR code to further disguise the nature of the attack,” the researchers said.

Live Chat phishing
A human-operated live chat support feature engages with the victim. Image by Perception Point.

Safeguarding against phishing attacks

The research provides several ways online users can protect themselves against these types of phishing attack.

The first, is to verify the authenticity of communications with support teams. This can be done by contacting support directly through other official means.

Next, users should never click on unsolicited links or QR codes, and instead navigate to the site themselves through a browser.

Users should always check a website’s URL to see if it is legitimate. For example, phishing sites will often have spelling errors or missing letters in the domain name, or grammatically incorrect syntax within the site itself.

And last, users should always use multi-factor authentication and stay up on the latest phishing trends.