If you interact, you get caught: A Chatbot phishing campaign
May 25th, 2022 - Written By CyberLabs
Phishing campaigns are usually executed on emails, whatever links included are commonly delivered through an email to the desired victim or target. Once accessed or clicked upon, these links then open up websites that often showcases a single webpage in some cases known as landing page, that outright requests personal or sensitive information such as account login credentials, financial card details, and other personally identifiable information as well (PII).
Recently an interesting yet quite crafty phishing website has been discovered, containing an interactive touch to it: a CHATBOT. Unlike your common phishing website, this website converses with you first in order to establish things, after which guides the user or victim to the actual phishing pages. This phishing technique is actually quite unique; however, it still uses emails as the delivery channel. A closer inspection of the mail header states that the “From” header is missing the email address component, which is a downright red flag and suspicious already.
The first step of this campaign is the chatbot-like page that tries to engage and establish trust with the target. Additionally, it is addressed as “chatbot-like” because it is not an actual chatbot. The application already contains predefined and programmed responses based on the limited options given.
As shown in this image, if you continue to interact and provide information you will be asked to schedule your respective order delivery or whatever it is that is requested via the chatbot. The phishing doesn’t stop here, once you continue you will be redirected to a CAPTCHA to confirm the delivery and information. What is odd and doesn’t seem right here is that nothing else is clickable on this page except the “confirm” button and the “close” button.
If you are an observant person, it can be identified that the CAPTCHA is nothing more than a JPEG image. Furthermore, you will also be directed to a payment gateway, where you have to type out your card information, once it is done an OTP will be sent to confirm your transaction. Once it is done, you are successfully “Phished”.
Chatbots add an interactive flair to the phishing campaign, it would also trick the targeted user to think that everything is in fact legitimate, however if you really observe and see there will be something that will make you think twice before clicking further. Hence, refrain clicking on unwanted and unnecessary mails, notifications and alerts. And always check sender’s email address, grammatical and spelling misplacements etc. Additionally, even if the site or page looks 100% real, do not go to click.