- A phishing campaign is spoofing DHL emails to steal login credentials
- Victims are tricked with a fake waybill confirmation and staged validation steps
- Captured data, including passwords and device details, is sent directly to attacker mailboxes
Forcepoint has published a report about an ongoing phishing campaign designed to steal people’s DHL login credentials.
It starts by sending an email to the victim, asking for confirmation of a waybill. While the email itself looks authentic, and is designed in the same fashion legitimate DHL emails are, this one is easy to spot as fake - the domain being used to send the message is cupelva[.]com - completely unrelated to DHL.
But many people don’t double-check the sender’s address, so it’s safe to assume some might fall for the trick and click on the “Confirm Waybill Information” button included with the message.
Manipulating the perception
When that happens, the victims are redirected to a malicious landing page where they are first asked to type in the parcel code provided on the screen. Obviously, the entire thing is fake, and built only to get the victim to lower their guard and trust the process.
“This page is designed to look like a shipment validation step. It is not a real OTP mechanism,” Forcepoint said. “This step serves no authentication function. It exists to manipulate the victim's perception of the workflow.”
After typing in the numbers shown on the screen, the page waits for a few seconds, to get the victim to think that something is really being analyzed in the backend. After that, the victim is redirected to a second page, where they’re asked to provide their login credentials.
This is where the theft happens, and if the victims do end up providing the password, it will be relayed, via email:
“The kit initializes EmailJS and sends the captured data using the configured service and template. The attacker mailbox is slatty077@tutamail[.]com,” Proofpoint added. Besides the email and the password, the campaign also captures the victims’ IP addresses, device details, and location data.
“Phishing does not need technical sophistication to succeed,” Proofpoint stressed. “This campaign works because it feels ordinary. The DHL branding is familiar, the verification step looks legitimate, and the login form appears to confirm something the victim already started. None of it is real.”
