Live chat used in phishing attack

Early last week, Netcraft blocked a website purporting to offer online support for eBay customers. The website made use of a third-party live chat service provided by Volusion, an e-commerce outfit which also provides both free and premium hosted live chat services. By running a live chat service and asking the right questions, a fraudster could coax an unsuspecting victim into revealing sensitive information in addition to their eBay login credentials.

The agent providing "support" claimed that the chat was accessed by clicking a live chat button in eBay's order confirmation email. When Netcraft attempted to question the legitimacy of the live chat, the agent immediately disconnected. eBay's official live chat service is available to eBay members through a secure page on an ebay.com subdomain and is linked to from the eBay website.

An example fraudulent live chat impersonating eBay (left) and the legitimate version (right); both have valid SSL certificates

An example fraudulent live chat impersonating eBay (left) and the legitimate version (right); both have valid SSL certificates

Later, the site showed a place-holder company logo and the eBay branding had disappeared.

This attack is interesting as several well-known companies outsource their live chat support, including Sky, a British broadcaster and ISP (LivePerson), Western Union (Oracle), and Rackspace (BoldChat). This, combined with a valid SSL certificate, could be convincing enough to deceive people accustomed to seeing third-party domain names for live chat applications. In addition, free or trial deployments can be obtained for these third-party services quickly — some without identification or credit cards — allowing a social engineer to carry out this attack easily and anonymously.

Live chat social engineering is not a novel technique for fraudsters: last December, a replacement Kindle was falsely ordered via the official Amazon live chat by a fraudster with only limited knowledge of the victim. A similar scam was seen in February this year. A forum dedicated to social engineering has a thread allegedly making offers to buy Amazon order numbers, which could be used in future attacks.

Netcraft advises people to never reveal sensitive information such as passwords or PINs in live chats, even if asked. A legitimate company will not require this information. If in doubt, challenge them to verify who they say they are. Only access live chats from companies' own sites: do not access them from third-party websites or emails.

You can protect yourself against the latest phishing attacks by installing Netcraft's Anti-Phishing Extension and help protect the internet community by reporting potential phishing sites to Netcraft by email to scam@netcraft.com or at http://toolbar.netcraft.com/report_url. Netcraft can also help protect both brand owners and hosting companies.