Phishing scammers are increasingly targeting live chat support agents by posing as customers. They then trick them into opening fraudulent documents.
Another example of phishing that uses attack channels other than the traditional email. And it works because website operators that use chat features do not have security scanning implemented that checks uploaded files for malware.
Devon Ackerman, head of incident response at Kroll, said that these actors are “directly tied to ransomware groups” and are likely using automated scripts that the Internet scan for “Contact Us” or chat forms.
“The second thing they are looking for is… an interactable or selectable box [in the form field] that allows me to do a file upload,” said security expert Johan Ackerman, who previously worked as a senior IT forensics examiner for the FBI.
The perpetrators then select a specific company they want to attack, and they create a customized communication that’s tailored for their specific target. This part requires a more manual approach to work, it is harder to automate:
“Every form’s a little different, every chat session’s a little different.” Thus, more customization is needed, “which, of course, slows down the likelihood that we’re going to see large-scale use” of this technique. However, it also makes the scam more authentic-looking and effective.
According to Ackerman, actors know that many online chat services use a knowledge base to answer visitors’ queries and pick come up with a hard issue requiring file uploads:
“The actor presents an issue not likely to be covered by the FAQs, and most importantly, one that needs to be resolved by uploading some kind of documentation, e.g., a disputed invoice or photo of damaged merchandise.”
Scammers send files in a zip format to prevent antivirus software from detecting the malware in them. The documents within the zip archives contain malicious macros.
The concept could also be used for other web forms, not only support forms, such as those that ask for photos of customers using a company’s product.
“The forms and the chat features usually are very plug and play – i.e., ‘Give me a file. I’m going to put the file somewhere,’ said Ackerman. “We have evolved, globally, from a web technology standpoint. We should be implementing security checks at that stage. I should not be able to have a form take a file, any type of format, and just do something with it, and that’s what a lot of forums and chat features are…”
Live chat operators should not use their own devices to review submitted files but should be required by their employers to use “virtualized, segregated, clean workplace,” such as a virtual desktop, advised Ackerman.
