A phishing campaign was discovered by cybersecurity researchers utilising interactive chatbots to steal user credentials. This campaign is more unorthodox since most phishing attacks are distributed by phishing emails or text messages.
The researchers identified this tactic in the last weeks of March this year, and it is still an ongoing campaign.
The attack initiates with a webpage that appears to be a chatbot. It will then attempt to establish communication and trust with the target instead of immediately sending an embedded URL. The chatbot will slowly guide and redirect the victim to the actual phishing page.
If a target responds to the chatbot, it will lead them to a fake CAPTCHA, the delivery service’s login page, and the final page that will steal credit card information.
Chatbots guided attack is an indication of the unlimited potential of cybercriminals.
Chatbot has been the newest weapon for cybercriminals as it shows how creative they can be. Fortunately for users, this phishing campaign is not entirely sophisticated. The CAPTCHA is only a jpeg file that when the user accesses, the cybercriminal will execute their activities in the background.
The attack also contained validation methods such as card number validation.
Last April, the malicious threat actors used fake security notifications from formidable banks such as Chase, Wells Fargo, Citibank, and Citizens Bank. The scammers claimed that the targeted bank accounts faced several safety issues and deceived them into accessing their malicious links.
In addition, a new skimmer-as-a-service, called Caramel, was uncovered by researchers being offered to Russian-speaking hackers. It was sold by a Russian cybercriminal organisation called CaramelCorp. The skimmer tool has obtained popularity among amateur and cybercriminal wannabes.
As of now, malicious threat groups are attempting to design their campaign to be as genuine as possible to attract more users. The usage of chatbots, OTPs, and CAPTCHAs makes it challenging for targets to identify such illegal activities.
Users should be more vigilant and mindful of these steps to ensure their safety in every transaction. Lastly, the best method of identifying phishing attacks is logging in to an account from a trusted platform and checking alerts.
