Image by Yuyeung Lau

Cybercriminals continue to evolve in sophistication and are now incorporating security tools usually associated with legitimate websites, including CAPTCHAs, one-time passwords (OTPs), and chatbots in phishing websites.  This will make it even harder for consumers to spot malicious websites and phishing scams designed to steal your information.  

In a disturbing phishing campaign exposed by Trustwave, interactive chatbots are being used as part of a scheme to harvest user credentials and credit card payment information using failed DHL deliveries as a lure.  Using a chatbot tends to increase a user’s confidence and lower their defenses while interacting with a fake DHL website.

The scam, of course, begins with a phishing email supposedly from DHL that prompts the victim to take action to resolve delivery issues.  However, clicking the button provided in the email redirects the user to a malicious website that looks quite legitimate.  The fake DHL website utilizes a chatbot to collect your personal information, a CAPTCHA step, and OTP authentication to boot.  Interestingly, security researchers found that the implementation of the OTP required after entering your payment information in the spoofed DHL website is real.   

This phishing scam successfully automates the phishing process for attackers and also reinforces a false sense of security in consumers, and so this layered phishing attack using real security features as part of the ruse will likely continue to evolve and be used more often by cybercriminals.  Now more than ever, consumers need to be cautious when receiving unsolicited communications that request immediate action, especially if the email or website contains embedded links.

As always, the best way to spot a bogus phishing website is to examine a website's URL address that appears near the top of every web page.  If it is a shortened link, has spelling errors, is slightly different from the known legitimate domain, or just looks suspicious, do not enter any personal information or click on any links.  You can always close the webpage, search for and access the website yourself in a new browser tab.

As a best practice when responding to emails, you should always go to the website in a new browser tab instead of clicking on links provided in an email.  Then you can log in to your account on the trusted platform and check for any pending alerts or notifications.  The security benefit is definitely worth the extra effort.

Published May 29, 2022