New Phishing Campaign Exploits LiveChat to Steal Sensitive Data
A sophisticated phishing campaign is leveraging LiveChat, a widely used customer service SaaS platform, to deceive victims into surrendering personal and financial information. Unlike traditional phishing attacks that direct users to fake login pages, this operation embeds malicious interactions within legitimate-looking live chat sessions, making detection harder.
The campaign targets users through two distinct email lures:
- A PayPal-themed email claiming a $200 refund, prompting recipients to click a "View Transaction Details" button.
- A generic order confirmation email urging users to verify a pending order via a "View Update" link, with no brand name visible until after the click.
Both emails direct victims to LiveChat-hosted pages under the domain lc[.]chat, where automated chatbots or scripted agents impersonate support representatives from PayPal or Amazon. The PayPal variant uses a chatbot to guide users to a fake login page, capturing credentials and multi-factor authentication (MFA) codes before requesting billing details. The Amazon version collects email, phone number, date of birth, and home address under the guise of identity verification, followed by credit card details for a supposed refund.
The attack employs multi-stage data harvesting, with operators using misspelled phrases and awkward phrasing to mimic human interaction. Victims are reassured with false security claims, such as promises of "utmost confidentiality," to encourage compliance. After submitting sensitive data, users are redirected to a confirmation message, obscuring the theft.
Security researchers warn that unsolicited refund or order confirmation emails leading to chat interfaces rather than official brand websites should be treated with suspicion. Requests for MFA codes, credit card numbers, or personal details via chat are key indicators of compromise. Organizations are advised to monitor and block traffic to lc[.]chat domains linked to this campaign.
Source: https://cybersecuritynews.com/phishers-abuse-livechat-support-tools/
LiveChat cybersecurity rating report: https://www.rankiteo.com/company/livechatcom
PayPal cybersecurity rating report: https://www.rankiteo.com/company/paypal
"id": "LIVPAY1773735888",
"linkid": "livechatcom, paypal",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Fintech',
'name': 'PayPal',
'type': 'Financial Services'},
{'industry': 'Retail',
'name': 'Amazon',
'type': 'E-commerce'},
{'industry': 'Customer Service',
'name': 'LiveChat',
'type': 'SaaS Platform'}],
'attack_vector': 'Email (Phishing Lures), Malicious LiveChat Sessions',
'customer_advisories': 'Users should be cautious of unsolicited refund or '
'order confirmation emails leading to chat interfaces. '
'Avoid sharing MFA codes, credit card numbers, or '
'personal details via chat.',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Email, Phone Number, '
'Date of Birth, Home '
'Address',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'MFA Codes',
'Billing Details',
'Personally Identifiable '
'Information (PII)',
'Credit Card Details']},
'description': 'A sophisticated phishing campaign is leveraging LiveChat, a '
'widely used customer service SaaS platform, to deceive '
'victims into surrendering personal and financial information. '
'The campaign embeds malicious interactions within '
'legitimate-looking live chat sessions, targeting users '
'through PayPal-themed and generic order confirmation emails. '
'Victims are directed to LiveChat-hosted pages where automated '
'chatbots or scripted agents impersonate support '
'representatives to harvest sensitive data.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'PayPal, Amazon, and LiveChat',
'data_compromised': 'Personal and financial information '
'(credentials, MFA codes, billing details, '
'email, phone number, date of birth, home '
'address, credit card details)',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'initial_access_broker': {'entry_point': 'Email Phishing Lures'},
'lessons_learned': 'Unsolicited refund or order confirmation emails leading '
'to chat interfaces should be treated with suspicion. '
'Requests for MFA codes, credit card numbers, or personal '
'details via chat are key indicators of compromise.',
'motivation': 'Financial Gain, Data Theft',
'post_incident_analysis': {'corrective_actions': 'Block malicious domains, '
'enhance user education, '
'implement stricter chat '
'interface monitoring',
'root_causes': 'Exploitation of legitimate '
'LiveChat services for phishing, '
'social engineering tactics'},
'recommendations': 'Monitor and block traffic to lc[.]chat domains linked to '
'this campaign. Educate users on identifying phishing '
'attempts via chat interfaces.',
'response': {'enhanced_monitoring': 'Organizations advised to monitor and '
'block traffic to lc[.]chat domains'},
'title': 'New Phishing Campaign Exploits LiveChat to Steal Sensitive Data',
'type': 'Phishing',
'vulnerability_exploited': 'Social Engineering, Impersonation of Legitimate '
'Services'}