A newly identified phishing campaign is turning legitimate customer service software into a weapon for stealing sensitive user data. <\/p>\n
Attackers have been found abusing LiveChat, a widely used Software-as-a-Service (SaaS) platform that businesses rely on for real-time customer support, to carry out convincing phishing operations against unsuspecting victims. <\/p>\n
The campaign marks a clear shift from traditional phishing methods toward ones that feel more personal and harder to detect.\u200b<\/p>\n
Unlike typical phishing emails that drop users onto fake login pages, this approach places victims inside a live chat window, where they believe they are speaking with a real support agent from brands like PayPal or Amazon. <\/p>\n
The setup is designed to make every interaction feel genuine, blurring the line between a real customer service session and a well-crafted trap. <\/p>\n
Victims are drawn in through carefully worded emails promising refunds or order confirmations, with links hosted under LiveChat\u2019s own domain \u2014 lc[.]chat.\u200b<\/p>\n
Cofense researchers identified this campaign<\/a> after analyzing two separate phishing email variants, each carrying a different lure and brand identity. <\/p>\n The first email spoofed PayPal, notifying recipients of an incoming $200.00 refund and urging them to click a \u201cView Transaction Details\u201d button. <\/p>\n The second email was more generic, claiming an order was pending and needed confirmation through a \u201cView Update\u201d hyperlink, with no visible brand name until the user clicked through. <\/p>\n Both emails used social engineering<\/a>: the first preyed on financial curiosity, while the second used urgency and ambiguity to push the user to act.\u200b<\/p>\n Once clicked, both links led users to separate LiveChat-hosted pages, each impersonating a different brand. <\/p>\n The PayPal-branded page loaded an automated chat bot that immediately engaged the user, while the Amazon-branded page first asked for an email address before the \u201cagent\u201d appeared. <\/p>\n Despite different setups, both pages shared the same goal \u2014 to extract as much personal and financial data as possible through what looked like a legitimate customer support session.\u200b<\/p>\n Data collection in this campaign unfolded in deliberate, layered steps. In the Amazon version of the threat, the chat agent asked for the user\u2019s email address, phone number, date of birth, and home address \u2014 all framed as routine identity verification. <\/p>\n The language was noticeably rough, with misspellings like \u201cEllo\u201d and awkward punctuation throughout, suggesting a human operator working from a scripted playbook rather than an automated system.\u200b<\/p>\n As the chat continued, the agent claimed a $200.00 refund was ready but that the user\u2019s card details were not on file. <\/p>\n The attacker asked for a full credit card number, expiration date, and CVC \u2014 assuring the user that the information would be handled with \u201cthe utmost confidentiality,\u201d a common tactic used to ease the victim into compliance.\u200b<\/p>\n The PayPal variant took a different path. After the chat bot shared an external link, victims were taken to a fake PayPal login page<\/a> where they entered their credentials. <\/p>\n The attacker captured the MFA code<\/a> sent to the user\u2019s phone, using it to bypass two-factor authentication.\u00a0<\/p>\n A billing form followed, requesting the user\u2019s date of birth alongside standard card details \u2014 an unusual combination meant to build a complete financial and identity profile.\u00a0<\/p>\n A final MFA prompt<\/a> was presented, and after submission, the victim was redirected to the LiveChat window with confirmation that the refund was on its way.\u00a0<\/p>\n Users and organizations should treat any unsolicited email about refunds or order confirmations with caution, particularly when it routes through a chat link instead of an official brand website. <\/p>\n Requests for MFA codes, credit card numbers, or dates of birth through any chat interface are strong red flags that should prompt immediate disengagement. <\/p>\n Security teams are advised to monitor for outbound traffic<\/a> to lc[.]chat domains and block known malicious URLs tied to this campaign to reduce exposure.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Phishers Abuse LiveChat Support Tools to Steal Sensitive Data in New SaaS-Based Attack Tactic<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Email](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg1vXCqzlImghS65N7m6_Bk_afh9H5hv7jrHc71cq3f2iEmr5TtgewbbBZETlEC5tAoeabCDJSZIdop-r9CYAZ6OaKcnPRiqYadPxQAoe5ySbsdxmTfO4GsebyAW054mFMs632bZhG-Hsmczyex-wWpTYgpXEg9_ZiPTmuVOI1Vbj7wnAlnVtMyBCwcT4Q\/s16000\/Email%25201%2520and%2520Email%25202%2520Body%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhCZkBWx7PL1MnUSrpL3n62msrYMgWWsphX_Q9te_aGNkzxQRMsdYyeGa33xb-iOMr57xxQOlPuOoxuvDA9b6As8qysEA2AAzgPn_yD6JBksHWveKjF-GBz4wnIMURZP_f2pLZxsXehWFy9uZ6yGBk6gTCt6LF1FGpo-uCPUhD5QrmPEFe1JLhzAjEICik\/s16000\/Email%25201%2520-%2520LiveChat%2520Prompt%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
Multi-Stage Data Harvesting in Action<\/strong><\/h2>\n
![\"Email](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiMS-MwcTRPI7k4hq5ksOdMekn6DDnTwXBwmWyBTGQ8BT2FXHO4m5dW7e2zyxb88odJO-exV9NJdwEGtLuBuj5JG9AfLHLs8vQiE0ebcz_2kuuZ1bQKmNvJHrG-sboHUnvsmxPzBKIJytx_E_gbmY_InW8ZDWe0URv4IelDJs7rm_vLHk2aCBUx0IuMztg\/s16000\/Email%25202%2520-%2520LiveChat%2520Prompt%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgdoSlmuxx1jv0zIewUTWnt4SHkNi14DIyPBNb2YI9QDHYbzUD3eCW6PjuRG-sCs-K4hjRlTrMaCaM5XmMjbgKAHYRWRaWn_PEJ_tfruhIfsyvpmnNPg-W_kNNoTxlxPbkVD2Q0YvyaTocE5FLJvcGvf2ilCwBGTWbk-u8H4yjHteOA0UfvgEzh4RH9Vwg\/s16000\/Email%25202%2520-%2520LiveChat%2520Harvesting%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjsA3crM3jI_ZVzaVCC-lqm4A0wpfQWdQJLiUvozeCjK3o1fw4nqMERNo_gkeisAy0FqTig45cjCQP11dvtWuqJfSB4P7Y_OGZ8aBX31p1U-XOUG_3XEt-4IEHe2gO4-DnG8kpNV4jUQwwcwvSt1iEBihFmc4D_Qna35QjfE6x7tKdrGIRFeaCt_AZ_FbM\/s16000\/Phishing%2520Page%2520and%2520PayPal%2520MFA%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
![\"Email](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg47dWz2BQaqp9mkmUkznWkuDdFdZl34-rehklxsuaeGHdezC3dyyfWYyoUw62VpoKV5gdeHhpIHid61IaugtHri1gV04mQ18wG9G40Lk58VHu6NGUrOiIp63HPzYwZnxTMiP_Xwhx2cuFtG99D1vIxXOFnJ3ekU31tps0EcnBsf1-GdCA9107qHhVlg6w\/s16000\/Email%25201%2520-%2520Billing%2520Details%2520and%2520CC%2520Information%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
![\"CC](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjuld6TKZnXahybow9CrrVlxiSSjFnynpkm9OKE5LM5V_cB57_Y-E799sX7EjtFfbSEWiTQqYyUGV8Ye5KORx5ettkAOyeR9vwXXGBxIt0MXFNSRPCR0JpBxs-3ENEHpBYHMQUIZ7tOBpTVi2PtD-hjxlNpxTtZ79nyHXWANGAGvSnnpgGPntgZGyrhLSQ\/s16000\/CC%2520MFA%2520and%2520Confirmation%2520Message%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")