Phishing websites now use chatbots to steal your credentials


Phishing attacks now use automated chatbots to guide visitors through the process of handing over their login credentials to threat actors.

This approach automates the process for attackers and gives visitors to malicious sites a sense of legitimacy, as chatbots are commonly found on legitimate brand websites.

This new development in phishing attacks was discovered by researchers at Trustwave, who shared the report with Bleeping Computer ahead of its publication.

It starts with an email

The phishing process begins with an email claiming to contain package delivery information, impersonating the DHL shipping mark.

Example of a phishing email
Example of a phishing email (wave of trust)

Clicking the “Please follow our instructions” button in the email loads a PDF file containing links to the phishing site. Threat actors display the phishing links in the PDF document to bypass email security software.

Downloadable PDF containing the malicious links
Downloadable PDF containing the malicious links
(wave of trust)

However, the URL button (or link) in the PDF takes the victim to a phishing site (dhiparcel-management[.]support-livechat[.]24mhd[.]com) where they are supposed to fix issues preventing a package from being delivered.

This is where the chatbot takes over.

A chatbot steals your credentials

When the phishing page loads, visitors are greeted with a chat explaining why the package could not be delivered instead of being shown a fake login form commonly used to steal credentials.

This webchat explains that the package label has been damaged, preventing its delivery. The web chat also displays a photo of the alleged package to add more legitimacy to the scam.

Chatbot on the phishing site
Chatbot on the phishing site (wave of trust)

This virtual assistant offers predefined answers for the visitor, so the conversation is frozen, always leading to showing a photograph of the alleged package with a damaged label.

Due to this issue, the chatbot asks the victim to give their personal details such as home or business address, full name, phone number, etc.

After that, the delivery is supposed to be scheduled and a fake CAPTCHA step is displayed to act as another fake send of legitimacy to the phishing page.

Then, the victim is redirected to a phishing page that requires entering the DHL account credentials and finally, leading to a payment step, supposed to cover the shipping costs.

The final “Secure Pay” page contains the typical credit card payment fields, including cardholder name, card number, expiration date, and CVV code.

Credit card payment field
Credit card payment field (wave of trust)

When the details are entered and the “Pay Now” button is clicked, the victim receives a one-time password (OTP) on the mobile number provided via SMS, which adds to the sense of legitimacy.

One-time password verification screen
One-time password verification screen (wave of trust)

Trustwave analysts tested entering random characters and the system returned an error about an invalid security code, so the implementation of OTP verification is real.

If the correct code is entered, the fake page displays a “Thank you!” message and confirms that the submission has been received.

Campaigns become more “authentic”

Threat actors are increasingly using mechanisms typically found on real websites, like CAPTCHAs, OTPs, and now even chatbots, making it difficult for victims to spot attempts to steal their information.

This calls for greater vigilance when receiving unsolicited communications that require your immediate action, particularly if those messages contain embedded buttons and URL links.

If DHL or any other shipping service requires your action, you should always open the actual website on a new browser tab instead of clicking on the links provided.

Then log in to your account on the trusted platform and search for pending items or alerts. You can also contact a customer service agent yourself.

As always, the best way to spot a phishing page is to look at the website URL. If it looks suspicious or does not correspond to the legitimate domain, do not enter any personal information on the page.

In this case, the spoofed DHL URL ends with the domain “”, which is clearly not DHL’s website and is a clear sign of a phishing attempt.


About Author

Comments are closed.