A scam based on a fake DHL delivery notification has been making the rounds with the malicious actors using a new, mellow approach to conning people out of their information.
Delivery notifications scams themselves are not new, but Sophos’ team came across a version using a well-constructed, yet still flawed, DHL message that uses a bit of reverse psychology. Instead of filling the email with lots of exclamation points and dire messages it calmly informs them a package is on the way and it can be tracked by clicking the included link.
If the victim decides to click through he or she is presented with a good representation of a DHL tracking page that asks for the person’s login credentials. If this is done the bad guys obtain credentials to access a the DHL account and they can also check if the victim is among the many that use the same username and password for other accounts.
There are a couple of missteps taken with the both the email and the fake tracking page. Hovering over the link in the email shows it does not lead to a DHL site, but instead to a webserver belonging to a Bahrain-based construction company that was hacked and taken over by the criminals.
The same problem takes place on the fraudulent tracking page. The URL does not in any way relate to the shipping company nor is it secure, Sophos said. Foolishly, the threat actors in this case made a second error by not utilizing the hacked server’s HTTPS certification in their scam creating another way to tell it is malicious.