Phishing Campaign Exploits LiveChat Widgets to Harvest Credit Card and Personal Data
What Happened – A coordinated social‑engineering operation is leveraging the LiveChat SaaS widget on compromised merchant sites to impersonate PayPal and Amazon support agents. Victims are guided through the chat interface to disclose credit‑card numbers, billing addresses, and other personally identifiable information.
Why It Matters for TPRM –
- The abuse targets a third‑party customer‑engagement platform, creating a supply‑chain risk for any organization that embeds LiveChat.
- Successful credential and payment‑data harvest can lead to downstream fraud, charge‑backs, and reputational damage for the merchant.
- The technique demonstrates how attackers can weaponize legitimate support channels to bypass traditional email‑phishing defenses.
Who Is Affected – Retail and e‑commerce merchants, payment processors, and any vendor that integrates LiveChat or similar live‑support widgets.
Recommended Actions –
- Review all contracts with LiveChat or comparable chat providers for security‑by‑design clauses.
- Verify that the provider enforces strict authentication for support agents and offers tamper‑evident chat logs.
- Implement real‑time monitoring for anomalous chat requests (e.g., sudden requests for payment data).
- Educate end‑users and support staff to recognize unsolicited requests for financial information via chat.
Technical Notes – Attack vector: phishing via compromised LiveChat sessions; no known CVE. Data types exfiltrated include credit‑card numbers, expiration dates, CVV, billing addresses, and email addresses. The campaign relies on social‑engineering rather than software vulnerability. Source: Dark Reading