DHL Phishing Campaigns

As reported by Check Point in October 2022, DHL is the brand most imitated by criminals attempting to phish credentials and payment information during Q3 of 2022.

The scam typically dupes the victim into paying a small amount in order to allow a shipment to be delivered to them. Since the amount is tiny, often $2-3, the victim does not fear a great loss from making such a payment – after all, they are getting something delivered via DHL…..right?!

How exactly does this scam work?

First, the victim gets an email that contains a teaser like this:

A delivery! For me? What could I have ordered….?

The link in this example, slightly modified of course, seems to have a campaign ID or similar and terminate with the victim’s email address. After all, you want to know how effective your campaign is as a criminal:

This looks like the DHL URL I was expecting

Clicking the link bounces you off that compromised host onto a DHL look-a-like site where you are encouraged to begin entering your information:

All trolling Musk, we are…

Of course this information is not enough, the key to this scam is getting the credit card, expiry and CVV2 to run cardholder-not-present transactions:

CVV2 is 2599. Don’t ask me how I know.

Credibility is key in the scam, probably to send the victim off towards DHL and not to their credit card company. I am still awaiting the SMS with the verification code (so is Twitter HQ’s phone line), long after the 2 minutes Javascript countdown has expired:

Random verification codes do not work!

The website look and feel is completed by the footer. If anyone actually tries calling 1.800.GoDiePost (1.800.463 3339), they will be amused as it is the Canadian FedEx Customer Service number. The criminals either have a sense of humour or want the victim to waste their time (and FedEx’s time) on a wild goose chase.

In the meanwhile, the crooks have the card number, CVV2 and enough personal information to go shopping.

The moral of the story is that these phishing campaigns do seem plausible, they do have a reasonable look and feel, logical user journeys and possibly come with a plausible flaw in the SMS not being delivered. Many people will fall for it, get no package and only realise when their next credit card statement arrives.