Cybercrime , Fraud Management & Cybercrime , Social Engineering

Phishing Campaign Spoofed DHL Delivery Service

Fraudsters Attempted to Steal Credit Card Data
Phishing Campaign Spoofed DHL Delivery Service
Example of a malicious domain designed to look like a DHL landing page (Source: FireEye)

The security firm FireEye reports that a recently uncovered phishing campaign spoofed DHL's delivery service as way to collect personal information, including credit card data, from victims.

See Also: OnDemand Webinar | Cloud applications: A Zero Trust approach to security in Healthcare

The fraudsters used encrypted Telegram channels to transfer stolen data, according to FireEye’s report. They also appeared to be using Web Open Font Format - WOFF - as a substitution cipher, which helped them avoid detection by security tools. WOFF is an open-source format that is normally used for delivering webpage fonts on the fly.

The campaign, which mainly targeted victims in the Americas and Europe, started around the December 2020 holiday season when delivery services were in greater demand.

"While phishing attacks targeting users of shipping services is not new, the techniques used in these examples are more complex than what would be found in an off-the-shelf phishing kit," according to the FireEye report.

Spoofing DHL

The campaign started with a phishing email imitating DHL. The message noted that a package delivery was ready and encouraged the recipient to click on a link, which took the victim to a fake DHL domain, the report notes. The spoofed domain then asked for information, such as credit card details. If the victim entered that information, the fraudsters harvested the data.

The DHL phishing campaign used a rare technique for obfuscating its source page, according to the report.

"The page source contains proper strings, valid tags and appropriate formatting, but contains encoded text that would render gibberish without decoding prior to loading the page,” the researchers note. “Typically, decoding such text is done by including script functions within the code. Yet in this case, the decoding functions are not contained in the script.”

This decoding, which is done through the WOFF font file, occurs upon loading the page in a browser and is not visible in the page content. The researchers found that the hackers used this technique to evade detection by security vendors.

"Many security vendors use static or regex signature-based rules, so this method will break those naïve-based conditions," the researchers note. "Loading this custom font which decodes the text is done inside the Cascading Style Sheets. This technique is rare as JavaScript functions are traditionally used to encrypt and decrypt HTML text."

The fraudsters also use encrypted Telegram channels to transfer the stolen data from the phishing domain to command-and-control servers. The researchers were able to access one of these channels to see the flow of data moving between the domain and the fraudsters collecting it.

In September 2020, Malwarebytes reported that some fraudsters were also using Telegram as an easy way to steal payment card data from e-commerce sites (see: Fraudsters Use Telegram App to Steal Payment Card Data).

Sign of Worse Things to Come?

"My usual concern about attacks that involve new [detection evasion] techniques is that they are often a test of worse things to come, even if the vendor market changes how it identifies these attacks to block them," says Sarb Sembhi, CTO and CISO at U.K. consultancy Virtually Informed Limited. "The concern is that, if there are several million people who are prepared to run any range of outdated operating systems, the chances of them having spent any money on a product that may block this type of product is going to be much lower."

Recently, the security firm Proofpoint found several phishing campaigns - including some spoofing DHL - using lures about COVID-19 vaccines as a way to entice victims to open up messages and click on malicious links (see: COVID-19 Vaccine Themes Persist in Fraud Schemes).


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.