LiveChat Abuse: How Phishers Are Exploiting SaaS Support Tools to Steal Sensitive Data
A novel phishing campaign is abusing the legitimate LiveChat SaaS platform to impersonate brands like PayPal and Amazon. By engaging victims in real-time chat interfaces using automated bots or human operators, attackers successfully harvest sensitive information, including account credentials, multi-factor authentication (MFA) codes, personally identifiable information (PII), and credit card details.
Authors: Cobi Aloia, Mark Deomampo
Source:
Cofense
- urlhxxps://api[.]telegram[.]org/bot8584408242:AAGFK13zX70Zq_ezkA-BUAr-x6Jn308BlmI/sendMessageTelegram API endpoint used by the threat actors for data exfiltration.
- urlhxxps://direct[.]lc[.]chat/19252309Stage 2 LiveChat payload URL for the Amazon lure campaign.
- urlhxxps://direct[.]lc[.]chat/19449368Stage 2 LiveChat payload URL for the PayPal lure campaign.
- urlhxxps://t[.]co/56TlmnQA0MStage 1 Email Infection URL for the Amazon lure campaign.
- urlhxxps://www[.]govnet[.]co[.]za/?redirect=hxxps://direct.lc.chat/19449368Stage 1 Email Infection URL for the PayPal lure campaign.
- urlhxxps://www[.]paypalrefund[.]workers[.]dev/en?utm_medium=chat&utm_campaign=link-shared-in-chat&utm_source=livechat.com&utm_content=direct.lc.chatExternal phishing page hosted on Cloudflare Workers used to harvest PayPal credentials, billing info, and credit card details.
Key Takeaways
- Threat actors are abusing the legitimate SaaS customer service tool LiveChat to conduct sophisticated phishing campaigns.
- The campaigns impersonate major brands like PayPal and Amazon using refund and order update lures to build trust.
- Attackers use both automated bots and human-operated chats to harvest credentials, MFA codes, PII, and credit card details in real-time.
- The PayPal variant redirects users to external phishing pages hosted on Cloudflare Workers, while the Amazon variant harvests data directly within the chat interface.
- Stolen data is exfiltrated using the Telegram API.
Affected Systems
- Web Browsers
- LiveChat SaaS Platform
Attack Chain
The attack begins with a phishing email containing a lure for a refund or order update. Clicking the link directs the victim to a LiveChat interface hosted on the legitimate lc.chat domain, impersonating brands like PayPal or Amazon. In the chat, either an automated bot or a human operator engages the victim to build trust. The victim is then either redirected to an external phishing page (e.g., hosted on Cloudflare Workers) or asked directly in the chat to provide credentials, PII, credit card details, and MFA codes. Stolen data is subsequently exfiltrated, in some cases using the Telegram API.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules (YARA, Sigma, etc.), but lists actionable IOCs including URLs, domains, and IP addresses.
Detection Engineering Assessment
EDR Visibility: Low — This is primarily a web-based phishing attack interacting with SaaS platforms; EDR on the endpoint will only see standard browser network connections. Network Visibility: Medium — Network logs can capture connections to known malicious domains or unusual Telegram API usage, but traffic to legitimate SaaS like LiveChat is encrypted and common. Detection Difficulty: Hard — The use of legitimate SaaS platforms like LiveChat and Cloudflare Workers makes domain-based blocking difficult without causing false positives for legitimate business operations.
Required Log Sources
- Proxy Logs
- DNS Logs
- Email Gateway Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Users clicking links in emails that redirect to direct.lc.chat followed shortly by connections to workers.dev domains may indicate interaction with this phishing campaign. | Proxy Logs, Email Gateway Logs | Execution | Medium |
| Unexpected outbound connections to api.telegram.org/bot* originating from user endpoints after interacting with webmail or chat applications may indicate data exfiltration. | Proxy Logs, DNS Logs | Exfiltration | Low |
Control Gaps
- Email filtering (bypassed due to legitimate SaaS links)
- Web proxy (legitimate SaaS domains often uninspected)
Key Behavioral Indicators
- Emails containing links to direct.lc.chat with financial or urgency lures
- Redirections from URL shorteners (t.co) or compromised sites to LiveChat URLs
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Block the identified malicious URLs and IP addresses in web proxies and firewalls.
- Search email gateways for messages containing the identified infection URLs and remove them from user inboxes.
Infrastructure Hardening
- Implement strict email filtering rules to flag or quarantine messages containing links to direct.lc.chat if not used for legitimate business purposes.
- Monitor and potentially restrict access to Telegram API endpoints if not required for business operations.
User Protection
- Deploy phishing-resistant MFA (e.g., FIDO2/WebAuthn) to prevent attackers from successfully using intercepted OTPs.
Security Awareness
- Educate users on the risks of providing sensitive information, such as credit card details and MFA codes, within customer support chat interfaces.
- Train employees to verify the authenticity of refund or order update emails by navigating directly to the vendor's official website rather than clicking links.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1056.002 - Input Capture: GUI Input Capture
- T1111 - Two-Factor Authentication Interception
- T1589.001 - Gather Victim Identity Information: Credentials
- T1071.001 - Application Layer Protocol: Web Protocols
Additional IOCs
- Ips:
104[.]21[.]90[.]116- Infection URL IP for PayPal lure172[.]67[.]200[.]101- Infection URL IP for PayPal lure23[.]48[.]203[.]38- Payload IP for PayPal lure104[.]21[.]20[.]86- Payload IP for PayPal lure149[.]154[.]166[.]110- Payload IP for PayPal lure23[.]48[.]203[.]39- Payload IP for PayPal lure172[.]67[.]192[.]3- Payload IP for PayPal lure162[.]159[.]140[.]229- Infection URL IP for Amazon lure23[.]53[.]11[.]166- Payload IP for Amazon lure23[.]53[.]11[.]176- Payload IP for Amazon lure23[.]53[.]11[.]168- Payload IP for Amazon lure23[.]53[.]11[.]171- Payload IP for Amazon lure
- Domains:
www[.]govnet[.]co[.]za- Compromised or malicious domain used in Stage 1 email infectiondirect[.]lc[.]chat- Legitimate LiveChat domain abused for hosting the phishing chat interfacewww[.]paypalrefund[.]workers[.]dev- Cloudflare Workers domain hosting the PayPal credential harvesting pageapi[.]telegram[.]org- Legitimate Telegram API domain abused for exfiltrationt[.]co- Twitter URL shortener abused in Stage 1 email infection