article featured image


We’re seeing the development of a new phishing scheme in which the phishing scammers are posing as customers and contacting live-chat support agents.

They proceed to present the agents with phony issues or problems and in this manner manage to trick them into opening up malicious documents.

This scheme comes to show just another example of phishing campaigns that are leveraging other communication mediums outside of email.

Unfortunately, it seems that it’s quite easy to catch prospective victims off-guard, this happening because the website operators that are making use of the chat features are not diligently scanning uploaded files for malware.

 From a coding standpoint, I can build logic that will scan for [these chat forms] across any number of websites,the second thing I’m looking for is… an interactable or selectable box [in the form field] that allows me to do a file upload.

I can even anonymize myself through a virtual hosting server for maybe five, 10 bucks a month, and just run my script 24 hours a day and let it scan non-stop like a spiderbot would.


The perpetrators work by selecting a target from among the websites identified by the “spiderbot,” and then craft a communication tailored to the company they’re trying to victimize, therefore in this part of the phishing operation is required a more human-powered, manual approach.

For example, a fake customer could be trying to send a picture of a damaged vehicle to an auto insurance representative, and when sending over this malicious file, it will arrive as a zip format.

This happens because antivirus software is not able to detect if malware is present in compressed files, therefore these documents might contain macros that are able to infect the customer support agent’s machine with malware when enabled.

Devon Ackerman said that the scheme can be adapted to other web forms placed on a website.

The forms and the chat features usually are very plug and play – i.e., ‘Give me a file. I’m going to put the file somewhere’.

We have evolved, globally, from a web technology standpoint. We should be implementing security checks at that stage. I should not be able to have a form take a file, any type of format, and just do something with it, and that’s what a lot of forums and chat features are…


Some companies are hiring their own teams of internal live-chat customer-service agents and others to outsource this function to a third party, but the important aspect to consider is that they must ensure that the teams are well aware of this unconventional phishing scam.

If ultimately you’re receiving some type of form or file transfer through a chat function, the operators should be trained from a standpoint of understanding what it is they’re receiving, the format of what they’re receiving, and what they shouldn’t and shouldn’t have.


Key Takeaways

Companies should have a better understanding of the dangers of macros, as there are some plausible reasons for which the person should have to enable them in a document, spreadsheet, or form upload.

The companies should require live-chat operators to stop using their own computers to review submitted files, and maybe use a “virtualized, segregated, clean workplace,” that preferably operates in the cloud or on a virtual desktop.

This environment should be fortified by more than just antivirus, by enlisting the use of an endpoint detection and response tool.

With our EDR tools, you can enjoy unique prevention, hunting, and remediation capabilities that quickly respond to sophisticated malware – both known and yet unknown.

Heimdal Official Logo
Simple standalone security solutions are no longer enough.
Is an innovative and enhanced multi-layered EDR security approach to organizational defense.
  • Next-gen Antivirus & Firewall which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Privileged Access Management and Application Control, all in one unified dashboard
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

In contrast to conventional cybersecurity protection methods, like Antivirus and Firewalls, EDR brings greater visibility into your endpoints and enables faster response times when threats arise.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *