Hackers are spinning up fake chatbots to trick you into handing over your data

By Sead Fadilpašić
published

Fake DHL chatbot tricks victims into sharing payment info

Chatbot
(Image credit: Image Credit: Shutterstock)

Criminals appear to have taken phishing for sensitive identity information to a whole new level with the creation of a fake chatbot (opens in new tab) that slowly guides the victim to their data being stolen.

Cybersecurity researchers from Trustwave SpiderLabs recently uncovered a new phishing campaign that tries to scam people out of personally identifiable information (opens in new tab), as well as payment data, by faking a DHL customer support chatbot.

It starts the usual way - the victim will get an email, saying they have a parcel pending with DHL, and that further instructions are needed. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

Stealing credit card information

If the victim takes the bait, they’ll be redirected to a fake DHL customer support website that seems to be running a chatbot. However, this is not a “real” chatbot, but rather an app with limited options and predefined responses. 

If the victim still doesn’t spot the numerous red flags that have been popping up along this journey, they’ll soon find themselves giving away sensitive data, such as their DHL login credentials (email and password (opens in new tab)), as well as credit card information (cardholder name, card number, expiration date, CVV code).

Whoever is behind this campaign has really put some effort into it. Before giving away their DHL login information, victims will have to pass a fake captcha page. Once they enter their card data, the payment gateway will first check the validity of the card. Afterwards, the user gets redirected to a one-time password (OTP) page, where they’ll have to enter a code received via SMS. 

Read more

> Credit card fraud detection vs credit report monitoring: What’s the difference? (opens in new tab)

> Cybercriminals are using fake Black Friday deals to steal your credit card details (opens in new tab)

> Watch out for these Facebook scams, users warned (opens in new tab)

Ironically, the victim is never asked for a phone number, so the only thing to do at this point is either realize the whole thing is a sham, or try to enter any random set of numbers. 

The researchers did the latter, and after getting a “security code invalid” message four times, on the fifth attempt, the page redirects to another page saying that the submission was successfully received.

As usual, be extra careful when receiving links and attachments via email, most of them are probably malware or viruses.

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

See more Computing news