{"id":11081,"date":"2019-09-09T09:52:06","date_gmt":"2019-09-09T07:52:06","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=11081"},"modified":"2020-02-01T15:14:28","modified_gmt":"2020-02-01T14:14:28","slug":"fake-dhl-mail-mit-unbekanntem-keylogger-im-gepck","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/09\/09\/fake-dhl-mail-mit-unbekanntem-keylogger-im-gepck\/","title":{"rendered":"Fake DHL mail with unknown keylogger attached"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/09\/09\/fake-dhl-mail-mit-unbekanntem-keylogger-im-gepck\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]A short warning at the begin of this week. There are probably phishing mails with alleged DHL senders in circulation that have an unknown keylogger attached.<\/p>\n<p><!--more--><\/p>\n<p>I became aware of this topic via a tweet on a British website. Since DHL is mentioned as the sender.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Fake DHL email delivers an unknown keylogger coupled with a phishing scam <a href=\"https:\/\/t.co\/mDZGFUg4iz\">https:\/\/t.co\/mDZGFUg4iz<\/a> <a href=\"https:\/\/t.co\/C0FRo6hB4e\">pic.twitter.com\/C0FRo6hB4e<\/a><\/p>\n<p>\u2014 My Online Security (@dvk01uk) <a href=\"https:\/\/twitter.com\/dvk01uk\/status\/1170631367312334848?ref_src=twsrc%5Etfw\">September 8, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>The fake e-mail allegedly comes from the US branch of the DHL courier service and has the following content<\/p>\n<blockquote>\n<p><strong>From<\/strong>:&nbsp; DHL EXPRESS mail[.]us[at]dhlcourier]us<br \/><strong>Date<\/strong>:&nbsp; Sun 08\/09\/2019 02:37<br \/><strong>Subject<\/strong>: RE: DHL DELIVERY<br \/><strong>Attachment<\/strong>: DHL_FORM.doc<br \/><strong>Body content<\/strong>:  <\/p>\n<p>Dear Customer,  <\/p>\n<p>We tried to deliver your item to your address this morning 7th September, 2019. (See the attached file) .  <\/p>\n<p>The delivery attempt was unsuccessful because no one was present at the delivery address given to us, so the notification is automatically sent.  <\/p>\n<p>If the parcel is not scheduled for re-projection or receipt within 72 hours on weekdays, it will be returned to the sender.  <\/p>\n<p>Tag number: DB0011622801 \/ 17BA  <\/p>\n<p>Expected delivery date: September 7th, 2019  <\/p>\n<p>Packet Services  <\/p>\n<p>Agency (s): Delivery Confirmation<br \/>Status: Mission sent<br \/>Sender: Macy's Department Store Company<br \/>Your package has not been delivered.<br \/>Delivery Time: 08:57 AM<br \/>Number of Packages: 1<br \/>Weight: 5.0 LBS<\/p>\n<p>Dear Customer<\/p>\n<p>See attached form and correct your address.<br \/>We apologize and thank you for your confidence.  <\/p>\n<p>Thank you,  <\/p>\n<p>Customer Service DHL.<br \/>2019 \u00a9 DHL International GmbH. All rights reserved.<\/p>\n<\/blockquote>\n<p>One of the usual notifications when you miss a shipment delivery? Recipients should note that an attachment asks them to correct the address using a form. Here is the screenshot of the mail:&nbsp; <\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Phishing-Mail (DHL)\" alt=\"Phishing-Mail (DHL)\" src=\"https:\/\/i.imgur.com\/ol0n6tc.jpg\" width=\"609\" height=\"420\"><br \/>(DHL phishing mail, Source: myonlinesecurity.co.uk, <a href=\"https:\/\/i.imgur.com\/ol0n6tc.jpg\" target=\"_blank\" rel=\"noopener noreferrer\">Click to zoom<\/a>)  <\/p>\n<p>All alleged senders, companies, employee names, telephone numbers, quantities, reference numbers, etc. mentioned in the e-mails have been randomly selected. The sole purpose is to establish trustworthiness and to induce the user to download the attached .doc or .xls file. The Word or Excel files are provided with a macro script or embedded OLE object that infects the user on execution.<\/p>\n<p><a href=\"https:\/\/web.archive.org\/web\/20191206002259\/https:\/\/myonlinesecurity.co.uk\/fake-dhl-email-delivers-an-unknown-keylogger-coupled-with-a-phishing-scam\/\" target=\"_blank\" rel=\"noopener noreferrer\">This&nbsp; website has some more details here<\/a>. The malware is downloaded from https[:\/\/]heritagebank[.ga]\/Quotation[.}exe. The website is delivered via Cloudflare. It is probably the root URL for a real bank that has mutated into a phishing site. The .exe file contains a keylogger for Windows. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A short warning at the begin of this week. There are probably phishing mails with alleged DHL senders in circulation that have an unknown keylogger attached.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-11081","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=11081"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11081\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=11081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=11081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=11081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}