Phishing attack via LiveChat: credit card and personal data are being stolen

Recent cybersecurity research has revealed a new phishing campaign in which attackers abuse the customer support platform LiveChat to steal users’ credit card information and other sensitive personal data.

According to experts, as part of the campaign, the attackers impersonate well-known e-commerce and payment services and engage with victims through online chat. Using real-time social engineering tactics, they prompt users to disclose account credentials, credit card details, multifactor authentication (MFA) codes, and other personally identifiable information.

During the investigation, two primary attack vectors used in the campaign were identified. In both cases, users receive fraudulent messages designed to create a sense of urgency, trusted brands are impersonated, and sensitive data is ultimately obtained from victims through interactions conducted via LiveChat. According to the researchers’ assessment, the poor grammar and punctuation observed in the chat conversations suggest that the operation was carried out by a human operator following a prepared script, rather than by an automated bot.

In the first scenario, the victim receives a spoofed email claiming that a refund is available. The message states that the user will receive a certain amount of money and encourages them to click a link to view the transaction details. That link redirects the user to a LiveChat-hosted page designed to resemble a legitimate customer support interaction. There, the operator instructs the victim to visit an external phishing site under the pretext of completing the refund process and prompts them to enter their account credentials. In the next stage, the victim is asked to provide the MFA code sent to their mobile phone, followed by additional billing and identity information, including their date of birth and credit card details.

In the second attack scenario, the user receives a generic fraudulent message claiming that an order is pending confirmation. The embedded link leads to a page asking the user to enter an email address before initiating a chat. After that, a human operator joins the conversation, impersonates a customer support representative, and begins requesting further personal information from the user. The victim is then told that a refund is available but that card details are missing, and is asked to provide the credit card number, expiration date, and security code.

Experts have noted that although various phishing techniques have long been used to deceive users, the abuse of the LiveChat platform in this manner is considered one of the first recorded cases of its kind. It has also been emphasized that this method can be regarded, in essence, as an online form of vishing, in which live interaction is used to build trust, lower the victim’s level of caution, and thereby increase the likelihood of successful data theft.