- Phishing campaign spoofs DHL emails to steal login credentials
- Victims are tricked with fake consignment note confirmation and staged validation steps
- The captured data, including passwords and device details, is sent directly to the attackers’ mailboxes.
Forcepoint has published a report about an ongoing phishing campaign designed to steal people’s DHL login credentials.
It begins by sending an email to the victim, requesting confirmation of a consignment note. While the email itself looks authentic and is designed in the same way as legitimate DHL emails, this one is easy to detect as fake: the domain used to send the message is cupelva.[.]com – completely unrelated to DHL.
But many people don’t double-check the sender address, so it’s safe to assume that some might fall for the trick and click the “Confirm Waybill Information” button included with the message.
Article continues below.
Manipulate perception
When that happens, victims are redirected to a malicious landing page where they are first asked to enter the package code that appears on the screen. Obviously, everything is false and designed only to get the victim to let their guard down and trust the process.
“This page is designed to look like a submission validation step. It is not a real OTP mechanism,” Forcepoint said. “This step does not serve any authentication function. It exists to manipulate the victim’s perception of the workflow.”
After typing the numbers displayed on the screen, the page waits a few seconds, so that the victim thinks that something is actually being analyzed in the backend. After that, the victim is redirected to a second page, where they are asked to provide their login credentials.
This is where the theft occurs, and if the victims end up providing the password, it will be transmitted via email:
“The kit initializes EmailJS and sends the captured data using the configured service and template. The attacker’s mailbox is slatty077@tutamail[.]com,” Proofpoint added. In addition to the email and password, the campaign also captures victims’ IP addresses, device details, and location data.
“Phishing does not need technical sophistication to be successful,” Proofpoint stressed. “This campaign works because it looks normal. The DHL branding is familiar, the verification step looks legitimate, and the login form seems to confirm something the victim has already started. None of it is real.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
