Phishing website links are generally shared via emails or texts. However, Trustwave spotted a new phishing campaign that makes it interactive via chatbots. The tactic still uses emails as the delivery mechanism but it is pretty unique. The campaign was uncovered in late March and is still active. 

Diving into details

  • The attack starts with a chatbot-like page that attempts to establish communication and trust with the target instead of directly sending an embedded link. 
  • It slowly guides the victim to the actual phishing page.
  • Responses to the bot lead the victim through a fake CAPTCHA, a delivery service’s login page, and the final page that steals credit card information.

Why this matters

This campaign serves as an instance of the creativity of cybercriminals attempting to exfiltrate credit card information. However, not the entire campaign is sophisticated. While the CAPTCHA is just a jpeg file, the credit card page executes some things in the background. It possesses some input validation methods, one of which is card number validation. 

Other creative phishing schemes for credit card information

  • In April, threat actors were using fake security alerts from well-known banks, such as Citibank, Citizens Bank, Chase, and Wells Fargo. The scammers claimed that the victims’ bank accounts were facing some safety issues and tricked them to click on malicious links. 
  • Recently, a new skimmer-as-a-service, known as Caramel, was discovered being sold to Russian-speaking hackers. Sold by CaramelCorp, a Russian cybercrime organization, the skimmer kit has gained traction among low-skilled cybercriminals. 

The bottom line

Threat actors are trying to make their campaigns look genuine to attract more victims and it seems to be working. Using CAPTCHAs, chatbots, or OTPs is making it really hard for targets to spot the crime. There is a need for greater vigilance regarding unsolicited communications, especially if there are some kind of embedded links or buttons. The best way to spot phishing attacks is by logging in to your account from a trusted platform and checking for alerts.

Cyware Publisher