Scammers handling a phishing website for Office 365 credentials added live support to add to the illusion of legitimacy necessary to trick victims.
But things don’t always work the way the cybercriminals intend and their bluff was called by security researchers spotting the scam a mile away.
Live chat support is nothing new in the world of fraud. It became popular with cybercriminal groups in the ransomware business that wanted to help their victims pay the ransom in bitcoin.
However, its application in phishing fraud is rare. Security researcher Justin Miller, the author of the Phishing Kit Tracker, a collection of emails from 500 phishing kits, says that he’s probably seen less than ten cases of phishing where chat was available.
This particular Office 365 phishing fraud was discovered by security researcher Michael Gillespie and starts with an email impersonating a Microsoft alert for renewing the subscription for the Office suite of services.
The name of the sender is MSOffice, but the email address is “info@officefamily[.]us,” which could fool plenty of people into believing it is a legitimate notification from Microsoft.
Taking the bait and clicking on the link in the fake email lands you on the shoddy-looking website mso365[.]tech that tries to pass as an official Microsoft resource.
The fraudulent website is still active and the scammers did such a poor job with it that it’s difficult to believe anyone would fall for their ruse.
Probably in an effort to compensate for the lack of professionalism, the fraudsters integrated live chat support into the page using the legitimate chat software tawk.to to provide fake customer support service.
When a potential victim fails to log into their Office365 account on the fraudulent website, they can turn to the customer support service, which is conveniently visible on the page. This is when the scammer gets to use their social engineering skills.
Gillespie reported the scammer to Tawk.to chat service who said in a tweet that they acted to reduce them to silence, at least on the phishing site, by banning their account. The website is still reachable and getting it down may take some time.
Furthermore, Tawk.to’s action seems to have been a short-lived victory, because the fraudster apparently created a new account and has resumed business.