Phishing scammers are pretending to be customers contact live-chat assistance agents with fake issues, making them open infected files, says incident response expert who found a surge in incidents using this trick since the start of this year. This scam is similar to another phishing campaign example which involves leveraging communication channels beyond the outside the emails to target potential victims out of the blue. The technique works off because website operators using chat features do not always check the files for malware while uploading.
The hackers behind this rising trend are part of a ransomware group and maybe using automated scripts to target ‘contact us’ or other chat forums on the web which they can exploit, says Devon Ackerman, managing director and head of incident response for North America with Kroll’s Cyber Risk practice. He said “From a coding standpoint, I can build logic that will scan for [these chat forms] across any number of websites,” said Ackerman, placing himself in the shoes of an attacker.
After finding the form itself, “the second thing I’m looking for is… an interactable or selectable box [in the form field] that allows me to do a file upload. I can even anonymize myself through a virtual hosting server for maybe five, 10 bucks a month, and just run my script 24 hours a day and let it scan or crawl websites non-stop like a search engine spider or bot would.”
The attackers then find a target website which are identified by the ‘spiders or the bots,’ and build a communication platform suited to the particular company they’re trying to exploit. This stage requires some human effort, because it is quite complex to automate as there are more variables. Every platform is a bit different from the other and every chat session is distinct too. Therefore, it requires more customisation, which means that we won’t be able to see a large scale use of such techniques. But, this makes the scam look more authentic and genuine, as well as effective.
SC Magazine reports, “an example might be a fake customer pretending to send a picture of a damaged vehicle to an auto insurance representative, or a phony business owner contacting a website with supposed proof of a copyright violation that never actually happened, he told SC Media. When the adversary sends over the malicious file, it may arrive in a password-protected zip format because antivirus software may not be able to detect the malware in compressed files, the blog post explains. The documents within the zip file contain malicious macros, which if enabled infect the customer support agent’s machine with malware.”
Source: E Hacking news