Chatbot Phishing – Conversations with the Dark Web

Increasing use of chatbots being exploited by cybercriminals

Chatbots are increasingly used by service providers of all types to facilitate conversational interaction with customers. While many continue to prefer interacting by phone or email, chatbots have advantages in terms of immediacy and availability which make them an attractive option in many cases.

The growth in usage of chatbots hasn’t gone unnoticed by cybercriminals. The relatively informal, conversational nature of our interaction with chatbots offers considerable scope for luring unsuspecting customers and employees into revealing sensitive information such as account numbers, credentials, recent transactions and passwords among other things. Recently Corrata and other security researchers identified a particularly well-executed attack based on a fake DHL chatbox.

The attack is initiated with a phishing link delivered via email, SMS or other messaging channels. The link in the phishing message purports to be a DHL “Order Failed” notification. This notification is in the form of a pdf. The pdf itself contains a link to a chatbot page. This two-step process to lure customers to the actual site of the phish has a number of advantages. Firstly it increases the plausibility of the phish. Secondly, it makes it more likely that the initial message will pass through anti-phishing filtering tools.

Once you reach the page hosting the chatbox you are taken through a series of questions concerning a delivery. The bot asks for login details and proceeds to a “payment” link for redirecting the shipment. An interesting feature of this attack is that it verifies card details and will only allow you to proceed if legitimate details are entered.

The chatbot was originally hosted at www.dhiparcel-management.support-livechat[.]24mhd.com/. We have more recently observed it at www.live-suppor[.]tnet. Our testing on a range of anti-phishing filters has shown they these malicious url’s were still unflagged over 48 hours after the initial attacks began to surface.The precise target geographies for this attack are unknown though it appears to be particularly prevalent in France. The original phishing domain was registered in France in March. First reports of the attack began to surface in mid-May.

Watch the full video of this phishing attack below:

Protecting against such attacks on mobile requires a mobile threat defense solution which incorporates zero-day anti-phishing protection and which addresses all channels including email, sms and social media.