Spoofed DHL Shipment Email Express Delivers Password Stealer

In a return to a classic scam, small and medium-sized businesses are being targeted with a new wave of spam emails disguised as DHL shipment notifications that actually deliver password-stealing malware.

Key Details

What's happening: Researchers have spotted a new wave of spam emails masquerading as shipment notifications from DHL.
What the emails look like: The emails appear to come from the DHL.com domain — "DHL Logistics <no-reply@dhl.com>" — and have subject lines referencing a "DHL Shipment Notification : [random number]."
Password-stealing malware hidden in email attachment: Attached to the emails is a .rar file titled "SHIPPING DOCUMENTS." Once opened, the .rar file extracts two password stealers that attempt to scrape login credentials from a variety of browser, social media, and email clients.
Warn your users (and give them a safety net): The .rar extension should hopefully be a red flag for users, but having strong endpoint protection like Barkly in place will cover you even if their curiosity gets the best of them.
empty
empty
empty
empty

Don't let user mistakes keep you up at night. Protect your company from the latest attacks with Barkly.

Find out how

Another day, another spam campaign. This time, researchers have spotted a large new wave of spam emails targeting mostly small and medium-sized businesses with messages masquerading as notifications from the shipping company DHL.

Shipment notification scams are nothing new, but their regular appearance hints at an unfortunate truth — they work. For many users, emails from companies like DHL, FedEx, and UPS are nothing too out-of-the-ordinary, and when attackers disguise the emails properly with the proper logos and messaging (as is the case in this campaign), these attacks can be frustratingly effective.

What the emails look like

Let's take a closer look at an example email from this latest campaign so you can show your users what to look out for:

Source: My Online Security

As you can see, the email appears to be sent from what could conceivably be a valid DHL email address: DHL Logistics <no-reply@dhl.com>.

The subject line is "DHL Shipment Notification," followed by a random number posing as an order number.

The email directs the recipient to open an attachment labeled "SHIPPING DOCUMENTS," which is actually a .rar file. The attackers behind the campaign likely chose the .rar format since it allows them to hide and compress malicious files inside it, reducing the odds of detection.

Password Stealer Payloads

Once opened, the .rar attachment extracts two executables that are disguised with video file icons. When either are executed, the malicious file contacts ‘hxxp://kwe-za.com/obinna/obaino/php/index.php?action=add&username=&password=&app=&pcname=PC&sitename=’ and begins conducting password stealing activities, with the aim of scraping login credentials from IE browser history, social media accounts including Facebook, and email clients including Gmail and Yahoo.

The stolen credentials can then either be sold or used to gain a stronger foothold on the infected system and its network.

Barkly blocks these payloads before any damage is done

As long as campaigns like this are making the rounds, training users to recognize and avoid falling for spam emails and phishing attempts is an ongoing priority.

Even the best security awareness initiatives take time, however, and, in the meantime, as employees are getting up to speed, all it takes is one click for disaster to hit. That's why it's equally important to protect users and their devices with stronger, smarter endpoing protection designed to block even the newest malware antivirus solutions routinely miss.

Find out how Barkly can protect your organization and why you need endpoint security that goes beyond AV.