Hackers are spinning up fake chatbots to trick you into handing over your data

(Image credit: Image Credit: Shutterstock)

Criminals appear to have taken phishing for sensitive identity information to a whole new level with the creation of a fake chatbot that slowly guides the victim to their data being stolen.

Cybersecurity researchers from Trustwave SpiderLabs recently uncovered a new phishing campaign that tries to scam people out of personally identifiable information, as well as payment data, by faking a DHL customer support chatbot.

It starts the usual way - the victim will get an email, saying they have a parcel pending with DHL, and that further instructions are needed. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Stealing credit card information

If the victim takes the bait, they’ll be redirected to a fake DHL customer support website that seems to be running a chatbot. However, this is not a “real” chatbot, but rather an app with limited options and predefined responses. 

If the victim still doesn’t spot the numerous red flags that have been popping up along this journey, they’ll soon find themselves giving away sensitive data, such as their DHL login credentials (email and password), as well as credit card information (cardholder name, card number, expiration date, CVV code).

Whoever is behind this campaign has really put some effort into it. Before giving away their DHL login information, victims will have to pass a fake captcha page. Once they enter their card data, the payment gateway will first check the validity of the card. Afterwards, the user gets redirected to a one-time password (OTP) page, where they’ll have to enter a code received via SMS. 

Ironically, the victim is never asked for a phone number, so the only thing to do at this point is either realize the whole thing is a sham, or try to enter any random set of numbers. 

The researchers did the latter, and after getting a “security code invalid” message four times, on the fifth attempt, the page redirects to another page saying that the submission was successfully received.

As usual, be extra careful when receiving links and attachments via email, most of them are probably malware or viruses.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.