New DHL Phishing Scam Uses 11-Step Attack Chain to Steal Passwords

Researchers from Forcepoint’s X-Labs team recently found a phishing campaign designed to steal login credentials from users. In this campaign, what grabbed researchers’ attention was that the threat actors used the DHL brand name to trick users into revealing their passwords through an 11-step attack chain.

The Email Lure

The campaign begins with a spoofed email that appears to be from DHL Express with this subject line: “DHL EXPRESS WAYBILL CONFIRMATION REQUIRED,” asking the victim to confirm a waybill or shipment. According to researchers, there’s a huge giveaway of a scam as the display name is DHL EXPRESS, whereas the sender domain is cupelva.com. This means the email passed DKIM authentication for the attacker’s domain, which helps it bypass some security filters.

Upon clicking the link, the victim is sent to a fake parcel OTP page at perfectgoc.com. This page shows a fake verification step ...