Schemers Are Using the Good Name of DHL to Perform Phishing Attacks

DHL Phishing Scam

Most of you are probably familiar with the anticipation associated with waiting for the arrival of something you've ordered online, and thanks to the lockdown boredom, this feeling is all the more intense at the moment. As a result, when you see an email that appears to be coming from DHL and a subject that urges you to 'Please confirm your shipping address,' you are likely to be eager to open it up and follow the instructions. If you do, however, you could end up falling victim to a new phishing attack.

A new phishing attack targets DHL users with a fake tracking link

The emails were spotted by researchers from Sophos, and it must be said that at first glance, the messages do look like regular shipping notifications. The user is told that a package addressed to them is registered in DHL's systems, and there is a link through which they can allegedly track it. Following the link leads them to an "Online Parcel Tracker," and to use it, they must first enter their username and passwords.

If they do, the credentials will be sent to the phishers who will then be able to log into the user's DHL account.

The scammers are likely after more than just your DHL account

Truth be told, there's not much the scammers can do with your DHL account. Indeed, it does contain personal information, and we're pretty sure that people on the dark web might be ready to pay some crypto coins for it, but the data is nowhere near as valuable as the one found in your social media profiles, for example. Thanks to people's lax security habits, however, the DHL credentials could end up opening quite a lot of accounts.

The phishers are hoping that most of the victims are reusing their DHL password for many other accounts, and once they've gathered enough login data, they'll likely launch a credential stuffing campaign against other online services. The DHL password is just a stepping stone for further malicious activity, and given the current climate and the fact that plenty of people are now expecting to receive goods from the shipping company, the scammers' choice to target these particular set of credentials is a good one. It must be said, however, that the rest of the campaign is not very well thought-out.

The scam should be pretty obvious for the more careful users

More than a few things can tell you that something's not quite right if you're vigilant enough. Unlike other phishing enthusiasts, the people organizing this campaign haven't made any immediately obvious spelling or grammatical errors, but the wording is a bit odd in places, and so is the excessive use of exclamation points. The scammers didn't put a lot of effort into the design and formatting, either.

They did try to get the color scheme right for the email, but they decided not to bother with DHL's logo and instead wrote "DHL Express" in large red letters. The logo is present on the phishing page, but despite this, the look of the bogus login form is nowhere near as convincing as what we've seen in other phishing campaigns.

The phishing page is actually hosted on a webserver that belongs to a construction company in Bahrain. The phishers went through the trouble of compromising it in order to upload their phishing page there, but they didn't bother with using its SSL certificate to make the scam a bit more convincing. As a result, even if you fail to notice that the address has nothing to do with DHL, the warning about an insecure connection that your browser displays should be a pretty good tip-off.

On the whole, it's not the most sophisticated scam out there. It looks like it was designed in a hurry and with a tangible lack of attention to detail. Nevertheless, you'll manage to avoid it only if you're on the lookout for the tell-tale signs, so being more careful is still very important.

May 15, 2020