Phishing scammers posing as customers are contacting live-chat support agents with phony issues or problems and tricking them into opening up malicious documents, according to an incident response expert who has observed a marked uptick in use of this tactic over the last two quarters.
The scheme is yet another recent example of phishing campaigns leveraging communication mediums outside of email to catch prospective victims off-guard. And it works in part because website operators that use chat features are not always diligently scanning uploaded files for malware.
Devon Ackerman, managing director and head of incident response for North America with Kroll's Cyber Risk practice, said that the malicious actors behind this growing trend are “directly tied to ransomware groups” and are likely using automated scripts to seek out “Contact Us” or chat forms on the internet that they can abuse.
“From a coding standpoint, I can build logic that will scan for [these chat forms] across any number of websites,” said Ackerman, placing himself in the shoes of an attacker. After finding the form itself, “the second thing I'm looking for is… an interactable or selectable box [in the form field] that allows me to do a file upload.”
“I can even anonymize myself through a virtual hosting server for maybe five, 10 bucks a month, and just run my script 24 hours a day and let it scan or crawl websites non-stop like a search engine spider or bot would,” continued Ackerman, who previously served as a supervisory special agent and senior digital sciences forensics examiner with the FBI.
The perpetrators then select a target from among the websites identified by the “spider or bot,” and craft a communication that’s tailored to the specific company they’re trying to victimize.
This part requires a more human-powered, manual approach, as it is more difficult to automate. After all, “there are more variables,” explained Ackerman, who recently authored a Kroll blog post on these findings. “Every form’s a little different, every chat session’s a little different.” Thus, more customization is needed, “which, of course, slows down the likelihood that we're going to see large-scale use” of this technique. However, it also makes the scam more authentic-looking and effective.
For instance, “actors know the limitations of online chat services, which commonly draw on a knowledge base of FAQs to answer visitor queries,” Ackerman wrote in his blog post. “The actor presents an issue not likely to be covered by the FAQs, and most importantly, one that needs to be resolved by uploading some kind of documentation, e.g., a disputed invoice or photo of damaged merchandise.”
An example might be a fake customer pretending to send a picture of a damaged vehicle to an auto insurance representative, or a phony business owner contacting a website with supposed proof of a copyright violation that never actually happened, he told SC Media.
When the adversary sends over the malicious file, it may arrive in a password-protected zip format because antivirus software may not be able to detect the malware in compressed files, the blog post explains. The documents within the zip file contain malicious macros, which if enabled infect the customer support agent’s machine with malware.
Ackerman said other the scheme can also be adapted to other web forms placed on a website, not just ones associated with customer service and live help. For instance, a website that asks customers to send in photos of themselves using a company's product could also be inviting similar trouble.
“The forms and the chat features usually are very plug and play – i.e., ‘Give me a file. I'm going to put the file somewhere,’ said Ackerman. "We have evolved, globally, from a web technology standpoint. We should be implementing security checks at that stage. I should not be able to have a form take a file, any type of format, and just do something with it, and that's what a lot of forms and chat features are…”
Several research reports over the last few months have noted phishing campaigns that incorporated elements such as phone-based vishing to avoid placing links or attachments in emails that might otherwise be detected by traditional email security solutions and gateways. This live-chat scheme is yet another clever way to work around certain defenses by leveraging the fallible human element.
Some companies directly hire their own internal live-chat customer-service agents, while others outsource this function to a third party. Either way, the organization responsible for employing these workers must ensure they are well aware of this unconventional phishing scam. But this task isn’t necessarily so simple.
“It’s one thing to do the… rinse-and-repeat ‘This is what a phishing email looks like,’ [training exercise],” said Ackerman. But “when you start getting into more specialty or boutique organizations or cyber problems, you have to have training is more specific to that workflow.”
And such is the case with live-chat phishing.
“If ultimately you're receiving some type of form or file transfer through a chat function, the operators should be trained from a standpoint of understanding what it is they're receiving, the format of what they're receiving and what they should and should not have,” said Ackerman.
Understanding the dangers of macros is another important lesson to instill in live-chat operators, as there are few plausible reasons they should have to enable them in a document, spreadsheet or form upload.
“Macros have usefulness, but usually they’re in an internal corporate context for automations. So by default, the macro should be blocked," said Ackerman.
Meanwhile companies should require live-chat operators to use not their own computers to review submitted files, but rather a “virtualized, segregated, clean workplace,” one that perhaps operates in the cloud or on a virtual desktop, said Ackerman. Additionally, this protected environment should be fortified by not only antivirus software, but also endpoint detection and response tooling (e.g. EDR, MDR or XDR solutions).