- A phishing campaign spoofs DHL emails to steal login information
- Victims are tricked with a fake waybill confirmation and staged validation steps
- Collected data, including passwords and device details, is sent directly to the attacker’s mailboxes
Forcepoint has released a report on an ongoing phishing campaign designed to steal people’s DHL login credentials.
It starts by sending an email to the victim and asking for confirmation of a waybill. Although the email itself looks authentic and is designed in the same way as legitimate DHL emails, this one is easy to spot as a fake – the domain used to send the message is cupelva[.]com – completely unrelated to DHL.
But many people don’t double-check the sender’s address, so it’s safe to assume that some will fall for the trick and click the “Verify Waybill Information” button that comes with the message.
The article continues below
Manipulate perception
When this happens, victims are redirected to a malicious landing page where they are first asked to enter the package code on the screen. Obviously, this is all bogus and only built to get the victim to lower their guard and trust the process.
“This page is designed to look like a shipment validation step. It’s not a real OTP mechanism,” Forcepoint said. “This step serves no authentication function. It exists to manipulate the victim’s perception of the workflow.”
After entering the numbers displayed on the screen, the site waits for a few seconds to make the victim believe that something is really being analyzed in the backend. The victim is then redirected to another page where they are asked to enter their login details.
This is where the theft happens, and if the victims end up providing the password, it will be forwarded via email:
“The kit initializes EmailJS and sends the collected data using the configured service and template. The attacker’s mailbox is slatty077@tutamail[.]com,” Proofpoint added. In addition to the email and password, the campaign also captures victims’ IP addresses, device details and location data.
“Phishing does not require technical sophistication to succeed,” Proofpoint stressed. “This campaign works because it feels ordinary. The DHL branding is familiar, the verification step looks legitimate, and the login form appears to confirm something the victim has already started. None of it is real.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
