- Phishing campaign spoofs DHL emails to steal login credentials
- Victims are tricked with fake waybill confirmation and staggered validation steps
- Captured data, including passwords and device details, is sent directly to attackers’ mailboxes.
Forcepoint has released a report on an ongoing phishing campaign aimed at stealing users’ DHL login credentials.
This begins by sending an email to the victim, asking for confirmation of a waybill. Although the email itself appears authentic and is designed in the same way as legitimate DHL emails, this one is easy to spot as fake – the domain used to send the message is Cupelva.[.]com – unrelated to DHL.
But many people don’t verify the sender’s address, so it’s safe to assume that some might fall for the trap and click the “Confirm Waybill Information” button included in the message.
Article continues below
Manipulate perception
When this happens, victims are redirected to a malicious landing page where they are first asked to enter the parcel code provided on the screen. Obviously this is all fake and constructed solely to get the victim to let their guard down and trust the process.
“This page is designed to look like a shipment validation step. It is not a true OTP mechanism,” Forcepoint said. “This step does not serve any authentication function. It exists to manipulate the victim’s perception of the workflow.”
After typing the numbers displayed on the screen, the page waits for a few seconds, to make the victim believe that something is actually being analyzed in the backend. After that, the victim is redirected to a second page, where they are asked to provide their login credentials.
This is where the theft occurs, and if the victims end up providing the password, it will be relayed by email:
“The kit initializes EmailJS and sends the captured data using the configured service and template. The attacker’s mailbox is slatty077@tutamail[.]com,” Proofpoint added. Besides email and password, the campaign also captures victims’ IP addresses, device details, and location data.
“Phishing does not need technical sophistication to succeed,” Proofpoint emphasized. “This campaign works because it seems ordinary. The DHL branding is familiar, the verification step seems legitimate, and the login form seems to confirm something the victim has already started. None of this is real.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
