Cybercriminals Exploit LiveChat Platform to Launch Real-Time Phishing Attacks Mimicking PayPal and Amazon

CyberDefender 6 mins0

Security researchers have uncovered a new phishing operation that abuses LiveChat, a widely used customer support tool that provides live messaging and AI-driven assistance.

Unlike traditional phishing attempts that rely on fake refund pages or login forms, this campaign interacts with victims through a real-time chat interface. Attackers pretend to represent trusted brands and use the conversation to collect sensitive data, including:

  • Login credentials
  • Credit card information
  • Multi-factor authentication (MFA) codes
  • Personally identifiable information (PII)

This method increases credibility by mimicking genuine customer support interactions.

Source : Cofense

Initial Infection Vector (Email Lures)

The attack begins with phishing emails that use different psychological triggers:

Email Variant 1 – PayPal Refund Theme

  • Claims the recipient will receive $200 USD
  • Includes a button labeled “View Transaction Details”
  • Uses branding similar to PayPal

This version targets curiosity and financial incentive.

Email Variant 2 – Amazon Notification Theme

  • Provides vague order or account-related messaging
  • Includes a “View Update” button
  • No clear branding initially, increasing ambiguity

This version creates urgency and confusion, making users more likely to click.

Attack Flow Overview

Step 1: Redirection to LiveChat

Clicking the link redirects victims to a page hosted on the lc[.]chat domain, part of the LiveChat infrastructure.

  • One page imitates PayPal
  • The other imitates Amazon

Step 2: Chat-Based Engagement

The interaction differs slightly:

  • PayPal version → Automated or bot-driven messages appear instantly
  • Amazon version → User must enter an email before chat begins

Credential Harvesting Techniques

Amazon-Themed Attack (Human-Driven Interaction)

In this variant, the attacker operates manually through chat:

  1. Victim is greeted with messages like “Unlock your Pending Refund”
  2. The attacker asks for:
    • Email confirmation
    • Phone number
    • Date of birth
    • Address
  3. The conversation includes noticeable errors:
    • Misspellings (e.g., “Ello”)
    • Incorrect punctuation

These signs indicate a real human operator, not automation.

  1. The attacker then requests:
    • Credit card number
    • Expiry date
    • CVC

To reduce suspicion, they add reassurance such as:

“Your information will be handled with confidentiality.”

This stage clearly reveals the intent: direct financial data theft via chat.

PayPal-Themed Attack (Multi-Step Phishing Chain)

This version uses a more structured approach:

  1. Victim is redirected to a fake login page
  2. A legitimate-looking MFA code is sent to the user
  3. Victim enters the code, which is captured by the attacker

Follow-up Data Collection

The victim is then prompted to submit:

  • Billing information
  • Date of birth (unusual for billing forms)

Final Stage

  • Another form requests full card details
  • A second MFA code is requested
  • Victim is redirected back to chat and told the refund is complete

This sequence enables attackers to:

  • Bypass MFA protections
  • Take control of accounts
  • Conduct financial fraud

Key Observations

  • Real-time chat reduces user suspicion compared to static phishing pages
  • Combination of automation + human interaction increases effectiveness
  • Use of trusted brands like PayPal and Amazon improves credibility
  • Attackers collect both authentication data and financial information

Indicators of Compromise (IOCs)

Email 1 (PayPal-Themed)

Stage 1 – Infection URLs

  • hXXps://www[.]govnet[.]co[.]za/?redirect=…

Associated IPs:

  • 104.21.90.116
  • 172.67.200.101

Stage 2 – Payload URLs

  • hXXps://direct[.]lc[.]chat/19449368
  • hXXps://www[.]paypalrefund[.]workers[.]dev/…
  • hXXps://api[.]telegram[.]org/…

Associated IPs:

  • 23.48.203.38
  • 104.21.20.86
  • 149.154.166.110
  • 23.48.203.39
  • 172.67.192.3

Email 2 (Amazon-Themed)

Stage 1 – Infection URL

  • hXXps://t[.]co/56TlmnQA0M

Associated IP:

  • 162.159.140.229

Stage 2 – Payload URLs

  • hXXps://direct[.]lc[.]chat/19252309

Associated IPs:

  • 23.53.11.166
  • 23.53.11.176
  • 23.53.11.168

Conclusion

This campaign highlights how phishing tactics are evolving beyond traditional methods. By integrating live chat platforms, attackers create a more convincing and interactive experience that lowers user defenses.

The attack combines multiple techniques:

  • Brand impersonation
  • Social engineering
  • Credential harvesting
  • Financial fraud

Because these threats closely resemble legitimate support interactions, automated detection alone is not sufficient.

Organizations should invest in:

  • User awareness training
  • Real-time threat intelligence
  • Dedicated phishing analysis teams

A proactive defense model is critical to detect and stop these advanced phishing attempts before they lead to account compromise or financial loss.

CyberDefender