Phishing websites use chatbots to steal information

Some phishing attacks now use an artificial chatbot to lead visitors through the process of providing login information to the attackers. This strategy is smart since it automates the procedure for attackers while also giving the illusion of authenticity. Chatbots can often be found on legitimate brand websites.

Researchers at Trustwave noticed this new technique in phishing attacks. Customer care Chatbots are instant messaging applications that pretend to be human. As a first line of client service, they’re typically seen on e-commerce websites.

How does it work?

The attackers send a single email that seems to be about a parcel delivery. DHL, a well-known package shipping service, seems to be the sender of the email. The phishing tactic is unique in that it still employs email as a delivery mechanism.

Phishing Email
Phishing Email (Trustwave)

A button “Please follow our instructions” is included within the email. When the victim clicks, a PDF file with connections to the phishing site is downloaded. To get around email security software, attackers include phishing URLs in the PDF document.

Email With Malicious link
PDF file with malicious links to download (Trustwave)

The URL to the phishing site is contained in a PDF document. A website containing a chatbot appears when the user clicks on the link. The delivery was cancelled due to broken label, according to the automatic software. As a result, different information, such as a home address and phone number, must be provided.

The victim is sent to a phishing site using the URL button on the PDF. They should be able to resolve any issues that have caused a shipment undeliverable there.

Chatbot steals credentials in a phishing attack

The first phase is to interact and create trust with the victim using a chatbot-like interface. Instead of being presented a fake login form often used to steal credentials. When the phishing website appears, users are prompted with a web chat explaining why the delivery could not be delivered.

The package’s label was broken, which prevented delivery, according to this webchat. To add to the authenticity of the scam, the webchat also shows an image of the claimed parcel.

Chatbot Messages
More information and instructions are sent to the recipient by the “chatbot.” (Trustwave)

The visitor receives pre-programmed responses from this virtual assistance. This keeps the conversation on topic and leads directly to a photo of the supposed damaged shipment.

The phishing site’s chatbot, after explaining the situation, requests personal information from the victim. Following that, the delivery should be scheduled. The phishing site looks to be more convincing because to a new fake step called CAPTCHA .

The CAPTCHA is proved to be nothing more than an attached JPEG image file by inspecting the website source.

Captcha Image

After that, the victim is sent to a phishing page where they must enter their DHL account details. Then there’s a payment step, which is supposed to cover shipping costs.

All the normal credit card payment information is available on the final “Secure Pay” page. It contains the name, card number, expiration date, and CVV code of the cardholder.

Credit Card Information Harverting
Credit card payment harvesting (Trustwave)

There are several input validation methods on the credit card page. The first is card number validation, which tries to identify the legitimacy of the card number and card type. The victim will receive an SMS with a one-time password if they enter their information and click the “Pay Now” button.

OTP Code To Victim Phone Number
OTP Sent to Victim Phone Number (Trustwave)

When Trustwave’s analysts tried inputting random characters, the system returned an error indicating an invalid security code. This means the OTP verification is working properly. The fake website displays a “Thank you!” message and acknowledges receipt of the submission if the proper code is entered.

Phishing attacks are becoming harder to identify

Cybercriminals are increasingly exploiting CAPTCHAs, OTPs, and even chatbots, which are often seen on actual websites. This makes it difficult for victims to detect efforts to steal their personal data.

We must be careful when we receive emails, especially if they need fast action and have built-in buttons and links.

Do not open any emails from DHL or any other service that contain a link to their website. Rather, manually open the company’s official website in a new tab of your browser. Embedded links should not be clicked on. Then, on the trusted platform, log in to your account and look for any pending items or notifications.

Always go through your inbox for anything unusual. Examine the website’s URL. Avoid any response and do not provide personal information if it appears shady or does not match the authorized domain. The fake DHL URL in this example finishes with the domain “,” which is clearly not the DHL website.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts