Phishers abuse LiveChat support tools to harvest sensitive data

Attackers are exploiting legitimate customer support software to run phishing operations that appear to be real service interactions.

What happened

Researchers identified a phishing campaign that abuses LiveChat, a widely used Software-as-a-Service customer support platform, to steal sensitive information from victims by impersonating well-known brands such as PayPal and Amazon. According to Cyber Security News, victims receive phishing emails promising refunds or order confirmations and are directed to links hosted on the legitimate LiveChat domain lc[.]chat. Instead of landing on a traditional fake login page, users are placed inside a live chat window where they believe they are interacting with a genuine customer support agent. The setup enables attackers to collect personal and financial data through a conversation that appears to be with a legitimate service, blending social engineering with trusted SaaS infrastructure.

Going deeper

The campaign uses multi stage social engineering, meaning attackers manipulate victims step by step, to collect sensitive information over time. One variant impersonates Amazon and starts by asking for basic identity details such as email address, phone number, date of birth, and home address during a chat session. Another variant mimics PayPal and redirects victims from the chat to a fake login page, where login credentials and multifactor authentication codes, which are extra security codes sent to verify identity, are captured. Once access is gained, attackers request further billing details like credit card numbers and expiration dates. The staged approach allows attackers to build a full identity profile instead of just stealing one password, and because the interaction takes place in what looks like a legitimate chat environment, it feels like normal customer support rather than a phishing attempt.

What was said

Phishing threats “are no longer easy to spot,” as attackers combine multiple techniques in a single campaign, including brand impersonation, social engineering, credential theft, and identity theft. Instead of relying on a single fake login page, attackers guide victims through staged interactions that feel legitimate, such as live chats or support flows, gradually collecting more sensitive information. The researchers said these techniques “demonstrate the rapid evolution and integration of threats,” showing how phishing campaigns now blend multiple tactics to increase trust and reduce suspicion at each step.

In the know

The campaign uses two phishing approaches that guide victims through fake support interactions to collect sensitive data. In one case, attackers impersonate PayPal with a refund email claiming the user will receive $200, prompting them to click “View Transaction Details.” which leads to a LiveChat page that looks like real customer support, where the user is directed to a phishing site to “complete the refund process” by entering login details. Victims are then asked for a multifactor authentication code, which is a one time security code sent to their phone, followed by additional personal and financial information such as billing details, date of birth, and credit card data.

In another variant, attackers send a generic email about a pending order with a “View Update” link which opens a chat page where the user enters their email, after which a human operator impersonating an Amazon agent requests personal details. The attacker then claims a refund is available and asks for credit card information, including the number, expiry date, and CVC, which is the three digit security code on the back of the card, using the conversation to make the request seem legitimate.

The big picture

Phishing is increasing in both volume and intricacy, with the Anti-Phishing Working Group reporting over 3.8 million phishing attacks in 2025 alone, with SaaS and webmail platforms among the most targeted sectors. Attackers are also relying more on legitimate services such as cloud apps, payment platforms, and collaboration tools to deliver attacks, which makes detection harder because the infrastructure appears trusted. Research shows an increase in phishing campaigns sent from compromised or real accounts, showing a shift away from fake identities toward abusing legitimate systems. As a result, attackers can blend into normal workflows, collect multiple layers of sensitive data, and carry out more effective account takeovers and financial fraud.

FAQs

Why would attackers use LiveChat instead of a fake phishing website?

Using legitimate customer support software allows attackers to create interactions that appear authentic and to avoid the immediate suspicion that often accompanies suspicious domains.

What is SaaS infrastructure abuse in phishing campaigns?

SaaS abuse occurs when attackers exploit legitimate cloud software platforms, such as chat tools, file-sharing services, or collaboration apps, to distribute or host malicious content.

Why do these campaigns collect multiple pieces of personal data?

Attackers often build full identity profiles that can be used for account takeovers, financial fraud, or identity theft rather than relying on a single stolen credential.

How can organizations detect this type of phishing activity?

Security teams can monitor traffic to suspicious SaaS subdomains, review unusual authentication behavior, and analyze email links that route users through external chat or messaging services.

What should users do if they encounter a suspicious support chat request?

Users should avoid sharing credentials or financial information in chat sessions and instead navigate directly to the company's official website via a trusted browser bookmark or a manually typed URL.