Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information

Phishing website links are commonly delivered via email to their respective targets. Once clicked, these websites often show a single webpage that outright asks for sensitive information like account login credentials, credit card details, and other personally identifiable information (PII).

Recently, we have encountered an interesting phishing website containing an interactive component in it: a chatbot. Unlike a lot of phishing websites, this one establishes a conversation first, and bit-by-bit guides the victim to the actual phishing pages.

Although the phishing method is quite unique, it still uses email as the delivery channel. A deeper inspection of the email header shows that the “From” header is missing the email address component, which is a red flag already.


Figure 1. Phishing email with spoofed “From” header (DHLexpress).


Figure 2. The spoofed "From" header does not have an email component.

Clicking the “Please follow our instructions” will open a browser and direct the recipient to a downloadable PDF file. There are two ways that this file will redirect the recipient to the actual phishing site. The first is through the “Fix delivery” button, and the second one is by copying an alternative URL from the file.


Figure 3. Downloadable PDF file carrying the DHL brand that contains the link to the phishing site.

Either of the two methods will redirect the user to the same website, and this is where the actual phishing starts.

The Phishing Link Chain

The first stop is the chatbot-like page that tries to engage and establish trust with the victim. We say “chatbot-like” because it is not an actual chatbot. The application already has predefined responses based on the limited options given.


Figure 4. The portion of the JavaScript containing the predefined responses of the "chatbot".

The first part of the engagement simply confirms the tracking number of the supposedly ordered item.


Figure 5. Chatbot-like page confirming the order tracking number.

By clicking the “yes” option, the program will try to engage at a higher level with the victim by showing the picture of the item and asking for the preferred delivery address (i.e., home or office address).


Figure 6. The “chatbot” giving more details and instructions to the recipient.

To gain even more confidence and trust from the target, a CAPTCHA is presented right after the victim clicks the “Schedule delivery” button. However, something is odd here – nothing else is clickable except for the confirm and close button.


Figure 7. Fake CAPTCHA requiring the victim to type the exact numbers presented.

By checking the page source, it can be confirmed that the CAPTCHA is nothing more than an embedded JPEG image file.


Figure 8. The CAPTCHA is simply an image embedded in the HTML.

By clicking “Confirm”, the victim will now be redirected to another page where the “chatbot” asks for login credentials (i.e., email address and password) as well as the delivery address.


Figure 9. The "chatbot" asking for the victim's email, password, and delivery address.

At this point you might think that the perpetrators have taken what they want, but you would be wrong. The phishing does not stop on this page. Clicking the “Schedule Delivery and Pay” button will redirect the victim again to another phishing page. This time, trying to steal credit card information.


Figure 10. Credit card details harvester.

The credit card page has some input validation methods. One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputed.

Once the victim fills out the form, clicking the “PAY NOW” button will redirect the victim to a loading page, which after a few seconds will then redirect to an OTP (One-Time Password) page. The OTP is an automatically generates characters (numeric or alphanumeric) which are usually sent to the user’s registered mobile number. This serves as another layer of user authentication for a single transaction or session.


Figure 11. The program asking for OTP that was sent to the victim's phone number.

The fact that the web page asks for OTP is quite surprising because the previous pages did not ask for any mobile number information. Putting in random characters will just redirect you to the same page stating that the security code is no longer valid. On the fifth try, however, the page redirects to another page saying that the submission was successfully received. This marks the end of the perpetrator’s phishing chain.


Figure 12. A submission success status after several OTP attempts.

Summary of the Phishing Link Chain:





Chatbot Engagement



Credential Phishing



Credit Card Phishing



Loading Page



OTP Page



Submission Successful Status


It is worth noting that the URLs start with “dhi”, a misspelled version of the brand name “dhl” or “DHL”, which is clearly a spoofing technique.

The sample of this phishing email was detected by Trustwave Mailmarshal last March 25, 2022. As of this writing, the actual phishing application is still active, but now using a newly registered domain.


In general, using chatbots adds an interactive component to a website. This often results in a higher conversion rate because it makes the site more interesting and engaging for the users. This is what the perpetrators of this phishing campaign are trying to capitalize on. Aside from spoofing the target brand on the phishing email and website, the chatbot-like component slowly lures the victim to the actual phishing pages. Also, the addition of fake OTP and CAPTCHA pages makes the phishing website makes it seem more legitimate.

Chatbot, OTP, and CAPTCHA technologies are already common and widely used by big brands in their online systems. Therefore, customers are advised to be really careful on what they are clicking online and be aware of sophisticated phishing campaigns such as this.

Indicators of Compromise
















Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More