[German]A short warning at the begin of this week. There are probably phishing mails with alleged DHL senders in circulation that have an unknown keylogger attached.
Advertising
I became aware of this topic via a tweet on a British website. Since DHL is mentioned as the sender.
Fake DHL email delivers an unknown keylogger coupled with a phishing scam https://t.co/mDZGFUg4iz pic.twitter.com/C0FRo6hB4e
— My Online Security (@dvk01uk) September 8, 2019
The fake e-mail allegedly comes from the US branch of the DHL courier service and has the following content
From: DHL EXPRESS mail[.]us[at]dhlcourier]us
Date: Sun 08/09/2019 02:37
Subject: RE: DHL DELIVERY
Attachment: DHL_FORM.doc
Body content:Dear Customer,
We tried to deliver your item to your address this morning 7th September, 2019. (See the attached file) .
The delivery attempt was unsuccessful because no one was present at the delivery address given to us, so the notification is automatically sent.
If the parcel is not scheduled for re-projection or receipt within 72 hours on weekdays, it will be returned to the sender.
Tag number: DB0011622801 / 17BA
Expected delivery date: September 7th, 2019
Packet Services
Agency (s): Delivery Confirmation
Status: Mission sent
Sender: Macy's Department Store Company
Your package has not been delivered.
Delivery Time: 08:57 AM
Number of Packages: 1
Weight: 5.0 LBSDear Customer
See attached form and correct your address.
We apologize and thank you for your confidence.Thank you,
Customer Service DHL.
2019 © DHL International GmbH. All rights reserved.
One of the usual notifications when you miss a shipment delivery? Recipients should note that an attachment asks them to correct the address using a form. Here is the screenshot of the mail:
(DHL phishing mail, Source: myonlinesecurity.co.uk, Click to zoom)
Advertising
All alleged senders, companies, employee names, telephone numbers, quantities, reference numbers, etc. mentioned in the e-mails have been randomly selected. The sole purpose is to establish trustworthiness and to induce the user to download the attached .doc or .xls file. The Word or Excel files are provided with a macro script or embedded OLE object that infects the user on execution.
This website has some more details here. The malware is downloaded from https[://]heritagebank[.ga]/Quotation[.}exe. The website is delivered via Cloudflare. It is probably the root URL for a real bank that has mutated into a phishing site. The .exe file contains a keylogger for Windows.
