Researchers from the Cofense Phishing Defense Center (PDC) have detailed a complex phishing tactic that aims at stealing PayPal credentials. It starts with an email that would only raise a red flag if the sender field were checked. The email asks to initiate a chat with the targeted user regarding an account issue. When viewing the body of the email it looks quite legitimate. However, if the “Confirm Your Account” area is hovered over it can be noticed that the link does not lead to PayPal and rather direct[.]lc[.]chat, but this could trick a lot of people. If a chat is initiated with a potential victim, automated scripts are used to attempt to acquire some basic information like physical address, email address, and phone number. If this is successful, the threat actors will then try to get the users payment information and then verify their information through email or by calling their phone number.
Analyst Notes
It’s interesting to see how threat actors will approach these campaigns and go beyond the basic fake login page or request of information through email. When encountering more well put together efforts like this, users should make it a regular task to look at headers and check out links before they are visited by hovering over them.
PayPal Credential Phishing Accomplished through Live Chat Service
IOCs:
Indicators of Compromise IP
hXXps://direct[.]lc[.]chat/12924651/ 23.212.251.151
