A newly identified phishing campaign is turning legitimate customer service software into a weapon for stealing sensitive user data.
Attackers have been found abusing LiveChat, a widely used Software-as-a-Service (SaaS) platform that businesses rely on for real-time customer support, to carry out convincing phishing operations against unsuspecting victims.
The campaign marks a clear shift from traditional phishing methods toward ones that feel more personal and harder to detect.
Unlike typical phishing emails that drop users onto fake login pages, this approach places victims inside a live chat window, where they believe they are speaking with a real support agent from brands like PayPal or Amazon.
The setup is designed to make every interaction feel genuine, blurring the line between a real customer service session and a well-crafted trap.
Victims are drawn in through carefully worded emails promising refunds or order confirmations, with links hosted under LiveChat’s own domain — lc[.]chat.
Cofense researchers identified this campaign after analyzing two separate phishing email variants, each carrying a different lure and brand identity.
The first email spoofed PayPal, notifying recipients of an incoming $200.00 refund and urging them to click a “View Transaction Details” button.
The second email was more generic, claiming an order was pending and needed confirmation through a “View Update” hyperlink, with no visible brand name until the user clicked through.
Both emails used social engineering: the first preyed on financial curiosity, while the second used urgency and ambiguity to push the user to act.
Email 1 and Email 2 Body (Source – Cofense)
Once clicked, both links led users to separate LiveChat-hosted pages, each impersonating a different brand.
The PayPal-branded page loaded an automated chat bot that immediately engaged the user, while the Amazon-branded page first asked for an email address before the “agent” appeared.
Email 1 – LiveChat Prompt (Source – Cofense)
Despite different setups, both pages shared the same goal — to extract as much personal and financial data as possible through what looked like a legitimate customer support session.
Multi-Stage Data Harvesting in Action
Data collection in this campaign unfolded in deliberate, layered steps. In the Amazon version of the threat, the chat agent asked for the user’s email address, phone number, date of birth, and home address — all framed as routine identity verification.
The language was noticeably rough, with misspellings like “Ello” and awkward punctuation throughout, suggesting a human operator working from a scripted playbook rather than an automated system.
Email 2 – LiveChat Prompt (Source – Cofense)
As the chat continued, the agent claimed a $200.00 refund was ready but that the user’s card details were not on file.
The attacker asked for a full credit card number, expiration date, and CVC — assuring the user that the information would be handled with “the utmost confidentiality,” a common tactic used to ease the victim into compliance.
Email 2 – LiveChat Harvesting (Source – Cofense)
The PayPal variant took a different path. After the chat bot shared an external link, victims were taken to a fake PayPal login page where they entered their credentials.
The attacker captured the MFA code sent to the user’s phone, using it to bypass two-factor authentication.
Phishing Page and PayPal MFA (Source – Cofense)
A billing form followed, requesting the user’s date of birth alongside standard card details — an unusual combination meant to build a complete financial and identity profile.
Email 1 – Billing Details and CC Information (Source – Cofense)
A final MFA prompt was presented, and after submission, the victim was redirected to the LiveChat window with confirmation that the refund was on its way.
CC MFA and Confirmation Message (Source – Cofense)
Users and organizations should treat any unsolicited email about refunds or order confirmations with caution, particularly when it routes through a chat link instead of an official brand website.
Requests for MFA codes, credit card numbers, or dates of birth through any chat interface are strong red flags that should prompt immediate disengagement.
Security teams are advised to monitor for outbound traffic to lc[.]chat domains and block known malicious URLs tied to this campaign to reduce exposure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Phishers Abuse LiveChat Support Tools to Steal Sensitive Data in New SaaS-Based Attack Tactic appeared first on Cyber Security News.