DHL Phishing Scams – How to Get Rid of Them
THREAT REMOVAL

DHL Phishing Scams – How to Get Rid of Them

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by DHL Phishing Scams and other threats.
Threats such as DHL Phishing Scams may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

See how to remove malware caused by DHL Phishing Scams, including related emails, messages and websites in this article. The article will also aid you to recognize DHL Phishing Scams and legitimate messages from the DHL brand. If you suspect your computer device is infected, scan your system with a security program.

DHL Phishing Scams are quite widespread across the World. From specially crafted websites that push such scams, to specific messages sent to targeted email addresses, the DHL brand has been used in phishing scams for nefarious reasons. Such reasons include the stealing of DHL credentials, personal information or pushing malware with a hidden agenda in most cases. More and more users fall victim to these scams as they are recurring and keep reappearing every few months. That is due to the fact that every new variant of a scam tends to mimic DHL closer than before, making it more believable with each new attempt. Ultimately, you will be asked to login or visit a URL address and do some action or pay for a shipment via another service. You should avoid any links other than the official DHL ones and you will see how you can differentiate between them and the ones used in phishing scams in this article.

Threat Summary

NameDHL Phishing Scams
TypePhishing, PUP, malware
Short DescriptionPhishing messages trying to trick you into clicking links to get redirected. Once redirected you will be asked to do an action, such as providing personal details, data about credential information or fill in a form. In some cases, clicking a link will download malware on your PC.
SymptomsYou receive an e-mail message that is allegedly from DHL. You will be urged to click on a link. You can then get malware on your computer or get redirected from link to a landing page mimicking the DHL website asking you to fill in information.
Distribution MethodPhishing Emails, Pop-up messages, Redirects
Detection Tool See If Your System Has Been Affected by DHL Phishing Scams

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss DHL Phishing Scams.

DHL Phishing Scams — Update December 2018

A new wave of DHL phishing scams have been detected that are are spoofed to appear as being sent by DHL. This is a very dangerous tactic as it uses the legitimate DHL address and according to the reports this is a global campaign targeting many users at once. The goal of the phishing email scam is to coerce as many victims as possible into clicking on the link in the body contents. This will download an infected document (in most cases a Microsoft Word file) that when opened will request the users to enable the built-in scripts. This will trigger a Trojan infection, the current attack campaign has been configured to deliver the Remcos RAT. Last year the

The latest version of Remcos is v1.7.3, and it is being sold for $58-$389, depending on the license period and the maximum number of masters and clients.
Remcos RAT v1.3.7 infections caused numerous infections around the world.

DHL Phishing Scams – Update October 2018

In October 2018 a new wave of DHL phishing scams emerged, possibly being done by another criminal collective. The collected samples associated with it shows that it is not a large-scale attempt. This gives security experts reasons to believe that this may be a test campaign or a small-sized targeted attack. A classic scenario is used by sending email messages that are designed to appear like a legitimate DHL message notification. The following elements are example of what the messages can include:

  • Misleading Names — The hackers behind the phishing campaign can all use similar sounding domain names to the real DHL site, signature or domain name. In some cases the sent messages can include the recipient’s real name, personal details and etc. harvested through information gathering techniques or bought on the hacker underground forums.
  • Graphics & Design — The criminals can hijack the graphics, layout and overall design from actual DHL messages. They can confuse the users into thinking that they have received a legitimate notification.
  • Required Interaction — Many of the collected samples require the recipients to perform some kind of interaction. This is usually the point where malicious behavior can be observed.

The exact contents of the DHL phishing message is a delivery notification. The body contents reads that the users has received a parcel and they need to download a receipt that is to be given to the courier. A view document is attached which will lead to malicious behavior. Depending on the individual hacker configuration there can be several different outcomes.

This can lead to the download of infected malware payloads. In the case of DHL notifications this is usually a document of any of the popular types: presentations, databases, spreadsheets or text files. Whenever they are opened a notification message will be shown asking the users to enable the built-in scripts. If this is done a virus infection will follow. In other cases the virus file can be directly attached and launched.

DHL Phishing Scams – Update August 2018

August, 2018 marks the start for the spread of yet another DHL Phishing scam. The scam consists of a message which is delivered to your e-mail.

You can see it in the below screenshot taken from our Support e-mail Inbox:

The email is around 39 KB in size and its contents are the following:

DHL

Dear [recipient’s name is included here]

Your DhI express shipment with waybiII number 813347995 from WKDA it on its way and will require a signature

We got an instruction from our client to contact you on the above subject. Below is your Shipping documents/Invoice and copy of DHL receipt for your tracking. Please confirm accordingly if your address is correct, before we submit to our outlet office for dispatch to your regional office.

View Your Shipping Documents/Invoice and Copy of DHL Receipt CLICK HERE:

Regards,

2018 © DHL International GmbH. All rights reserved.
DHL Corporate
Office. +1 (800) 321-8807 feel free
Visitingaddress: 180 Park Avenue,
Building 105
, PO Box 950, 07932 Florham Park, NJ

UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message.

© 2018 DHL Express | Customer Service |

As you can see, the scam involves a link labeled “CLICK HERE” as well as a telephone number, which if you dial will probably have a cybercriminal on the other line. Not to mention that if you click the telephone number another number might be dialed.

Do not follow any instructions given in such a message. Make sure you are dealing with an official message from DHL and not a phishing scam.

DHL Phishing Scams – Update April 2018

In late March and the beginning of April 2018, another DHL phishing scam emerged. The scam tries to trick users that if they want to track their package, they need to enter their email address and password. This is how the phishing page looks:

As you can clearly see, the design looks really close to that of the original DHL website but it differs. The DHL brand and logo are clearly cropped with some software and pasted on the page. The landing page feels cheap, but if somebody doesn’t look into these details and is expecting a package, might fall for the scam.

DHL Phishing Scams – Distribution Ways

DHL Phishing Scams might distribute via a third-party installation setup. Applications connected to DHL Phishing Scams can intrude your computer, without your knowledge of that. Installer setups like those could be set by default to install additional components. Bundled packages and freeware setups regarded as PUPs could be distributed and push scam messages to your PC and browsers. To avoid installing unwanted applications, you can to search for the Custom or Advanced settings. If you find such, you could probably deselect anything you do not want on your machine.

Note! These types of DHL Phishing Scams were seen to be pushed via e-mail address messages on a large scale as seen on the below screenshot. Beware of any messages that have links to DHL services that you don’t remember using.

DHL Phishing Scams might distribute itself by using similar websites which are hosting phishing landing pages. Websites like those use the DHL brand without permission and to an extent you might not differentiate the original with the fake website. Clicking on just one redirect link or an advertisement could send malware to your computer system. In addition, banners, pop-ups as well as more kinds of adverts could be placed on top of browser pages to push more links and phishing messages. Any browser could be affected and any operating system for that matter.

DHL Phishing Scams – In-Depth Overview

Many scams related to DHL are circling the Internet nowadays and seem to increase every month. This article will reveal the vast majority of scam types which suggest that you have to use the DHL Service in some way or form to receive some shipment or reward via DHL. The scam is not exactly new as versions of it can be observed from years ago. Although, every year the scam gets more and more sophisticated and has built a higher popularity amongst users. People that fall victim to such scams is surprisingly growing instead of decreasing.

Websites that are hosting such DHL Phishing Scams can load pop-ups and other advertising content as you are browsing to help popularize it. Heaps of advertisements might show, promoting a way to obtain a shipment or something else via the DHL brand.

DHL Phishing Scams – Ursnif Malware Delivery

A separate attack campaign has been detected in early December 2018 whch uses the DHL phishing scam as the conduit to spread the

Remove the Ursnif Trojan (Purolator phishing scam) completely. Follow the Ursnif Trojan (Purolator phishing) removal instructions provided at the bottom.
Ursnif Trojan. According to the released information the intrusions are being done in targeted waves, the reported infections seem to be focused against Italian users. An example subject line is the following ““VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”. The email messages display the typical DHL phishing scams as stated above, some of them may be personalized in order to fool the recipients into interacting with them. The dangerous payload is attached directly to an archive file. When it is opened it will reveal a .js (JavaScript) file. When launched it will initialize the infection script.

When this is done the infection script download a dropper which will first generate a lot of Internet traffic that may seem random. This is done in order to make detection more difficult.

In the end the dropper will download and extract an extract a second-stage file. It will establish a connection with a hacker-controlled server which uses signatures that are identical with Ursnif malware samples. Further information about the Ursnif malware samples detected in the DHL phishing scams reveals that the third-stage of the malware also installs itself as a persistent threat. This means that it will manipulate the Windows Registry making it very hard to remove.

This infection allows the hackers not only to spy on the users, but also execute commands, hijack their data and take over control of their machines at any given time.

”DHL Parcel Arrival Notification” Scam

This scam is a recurring one, which means that it keeps showing up, year after year, months after months. The scam shows you a notification of a “DHL Parcel Arrival”.

You can preview a variant of the DHL Parcel Arrival scam message below:

From the above image, you can see an e-mail message with stating that you have a DHL Parcel awaiting delivery. That message can also be sent via SMS to targeted phone numbers, containing nearly the same message. Here is what such a message contains:

From: DHL Express

Date: Sat 20/05/2017 14:37

Subject: Attention: You have 1 New Parcel for delivery

Attention:

You have 1 New Parcel for delivery. Our courier was unable to deliver the parcel to you due to incorrect delivery details.

To receive your parcel, Please see and check attached shipping documents.

CLICK HERE TO VIEW STATUS

With kind regards, DHL Express

……………………………………………………………………………..

CONFIDENTIALITY CAUTION: This message is intended only for the use of the individual or entity to whom it is addressed and may be confidential in nature. If you are not the intended recipient, please notify us immediately by return e-mail and please do delete this message. You should not disseminate, distribute, copy or disclose any information contained herein to any third party. **Please consider the environment before printing this email**

Somewhere inside the message there will be a link. That link may look like the official URL address of the DHL service but do not get fooled. The link will redirect you to a phishing page that may look very similar to a legitimate DHL-hosted page, but has a suspicious URL that is not located on the DHL official domain. In this case, the link ““http://parkietserwis.pl/lib/ckeditor/plugins/allmedias/meant/views.php”” will land you on a page with a long address, such as “http://wensli.com/ckfinder/userfiles/home/set/s1xc2ivesfegjjb9o2byvpg7.php?rand=13InboxLightaspxn.1774256418&fid&1252899642&fid.1&fav.1”, as seen below:

Afterward, you will be prompted to enter your email address and password to the DHL service. In case you are wondering why, it is due to the fact that the cybercriminals want to steal your DHL account and related online identity. If you proceed and enter both of these details, you will be redirected with a message that you have entered an “invalid password”, tempting you to enter your details “correctly” and carefully. If you go the rounds one more time, you will get the following page to display:

Here is where you should get suspicious. Why would the company need your address sent again, if you indeed ordered something? In case you did not get suspicious and went on and filled the details on that page as well, you will finally get redirected to the official page of the DHL website. You should be wary of any such websites and if you doubt the contents of a message that is supposedly from DHL you should ask your family household if anybody ordered something via the service or login by entering the official URL into the address bar.

”DHL Shipment Notification” Phishing Scams

The DHL Phishing Scams have many variations, but what you will see the most are the following messages, displayed in the below screenshots:


”DHL Shipment Notification” Phishing Scams will generate an email message with content of something in the lines of the following:

From: DHL Customer Support

Date: Thu 30/03/2017 14:58

Subject: DHL Shipment Notification : 1860915879

Attachment: _Dhl_expr._DATE201703.zip

Body content:

Notification for shipment event group “Delivered ” for Thu, 30 Mar 2017 14:57:31 +0100.
AWB Number: 1860915879 Pickup Date: Thu, 30 Mar 2017 14:57:31 +0100 Service: N Pieces: 2 Cust. Ref: G Description: DOMESTIC EXPRESS
Ship From: Ship To:
NBL S. A. NA * – 49796 NA

EVENT CATEGORY Thu, 30 Mar 2017 14:57:31 +0100 – Shipment delivered – Signed By – M C

Shipment status may also be obtained from our Internet site in USA under http://track.dhl-usa.com or Globally under http://www.dhl.com/track

Please do not reply to this email. This is an automated application used only for sending proactive notifications

You are receiving this email because a notification is configured to receive notifications from Proview.

The left of the above screenshots shown above, depicts one of the scams involved with the spoofing of the DHL brand, stating that some documents are ready for download and that a package you ordered is on its way. Inside that note, a link will be provided. That link might redirect you to an address that downloads a malware payload on your computer. Another example would be an attachment that goes along with the email that contains a file (usually an executable or JavaScript file disguised as a document). Such an attachment will also in most cases download a malicious payload aiming to infect your computer system.

However, most of the time these messages aim to do the same procedure as the one previously described on the “Parcel” type of scam. That procedure involves redirecting you to a phishing landing Web page and stealing your information (including personal data and credential details). After you input the details on any similar page, you will get your DHL account hijacked, or even worse – your identity stolen and used for other online purchases.

Another DHL Phishing Scam that has been seen in July 2018 is the following email:

Dear customer,

Your Shipment has just arrived at our Regional Office and ready for delivery today, but we were unable to confirm your delivery address.

Please Download and print the attached receipt to duly complete the Identity check required for verification of your delivery address and forward to nearest DHL office.

Your shipment will be on hold Until the security check is completed.
Please endeavor to be as accurate as possible to reduce time of clearance and recipient confirmation.
NOTE: IF YOUR PACKAGE IS NOT DELIVERED OR PICKED UP WITHIN 48 HOURS, IT
WILL BE RETURNED TO THE SENDER. CONTACT US FOR FURTHER ASSISTANCE

Thank you for using our services.
Best regards,
Ellen Liu.
DHL Express Services

(c) 201-2019 DHL International

1 attachments (total 53.9 KB)
[1]

CONFIDENTIALITY NOTICE: This message is from DHL and may contain
confidential business information. It is intended solely for the use of
the individual to whom it is addressed. If you are not the intended
recipient please contact the sender and delete this message and any
attachment from your system. Unauthorized publication, use,
dissemination, forwarding, printing or copying of this E-Mail and its
attachments is strictly prohibited.

A user with a nickname Al Crosby reported it in the comment section of this article.

All of the scams described above, plus others which are similar to them might be advertised or promoted in some shape or form. Do not believe in messages that look suspicious and when you do not recollect if you indeed ordered something described inside the messages. Beware of such scams as they try to look like DHL more convincingly by using similar or the same design as the DHL site network.

Below you will see how to differentiate the usage of the DHL brand from scams and the real thing. You will also find good tips on what to do or not do, so you can avoid getting scammed. At the end of the day, you should also scan your computer in case a malware is causing such messages to show up on your computer screen.

DHL Phishing Scams – How to Avoid Them?

In this section, you will find out how to differentiate between DHL Phishing Scams and messages from the official DHL brand, following a simple set of rules and guidelines. So, if you are reading this article, you should now know that there is a multitude of scams involving a DHL shipment or parcel notifications. Below you will see what you should research.

Refer to the following link that is of the official page for DHL Fraud Awareness and Prevention.

As you now know about the existence of the scams and the official page of DHL Fraud Awareness, refer to the following guidelines on how to avoid most scams related to the shipping brand:

  • Never pay before your goods get delivered
  • Do not provide any details about you, your addresses or similar information via email or unknown Websites
  • Do not open email attachments, as DHL does not send such, neither it requests users to open such
  • Always use DHL.com to refer to pages in connection with the service
  • Avoid messages with grammatical or typographical errors
  • Avoid emails that are not addressed to you by name
  • Avoid messages sent by a service you don’t expect to hear from
  • Avoid messages that do not include a tracking number or specific details about your order or address
  • Avoid clicking on links to provide your email address for verification
  • Avoid payments to someone whose identity you can’t confirm

The guideline rules listed above were constructed by the SensorsTechForum team, via a research done on the matter. These rules are based on common sense and depending on the various scams related to DHL.

Some of these scams related to DHL can be removed by closing the message or browser. In case the scam pages continue to bother you even after that, then you probably have something else on your computer generating them.

How to Get Rid of DHL Phishing Scams Completely

All that is required to remove some DHL Phishing Scams is to ignore the message, never respond to it and delete it. Other scams require a bit of action, such as thoroughly scanning your computer machine with security software to determine whether you have some malware component that is pushing DHL spoofed messages to your computer, browser or email address.

We highly recommend that all computer users scan their system for active infections and malware using a security program. That could prevent many malicious actions and stop malware of distributing further.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

3 Comments

  1. Al Crosby

    Another example

    Dear customer,

    Your Shipment has just arrived at our Regional Office and ready for delivery today, but we were unable to confirm your delivery address.

    Please Download and print the attached receipt to duly complete the Identity check required for verification of your delivery address and forward to nearest DHL office.

    Your shipment will be on hold Until the security check is completed.
    Please endeavor to be as accurate as possible to reduce time of clearance and recipient confirmation.
    NOTE: IF YOUR PACKAGE IS NOT DELIVERED OR PICKED UP WITHIN 48 HOURS, IT
    WILL BE RETURNED TO THE SENDER. CONTACT US FOR FURTHER ASSISTANCE

    Thank you for using our services.
    Best regards,
    Ellen Liu.
    DHL Express Services

    (c) 201-2019 DHL International

    1 attachments (total 53.9 KB)
    [1]

    CONFIDENTIALITY NOTICE: This message is from DHL and may contain
    confidential business information. It is intended solely for the use of
    the individual to whom it is addressed. If you are not the intended
    recipient please contact the sender and delete this message and any
    attachment from your system. Unauthorized publication, use,
    dissemination, forwarding, printing or copying of this E-Mail and its
    attachments is strictly prohibited.

    Reply
  2. vanessa

    i’ve just been a victim of this.. and i think this malware is still doing its rounds as of this writing.. 🙁

    Reply
    1. Milena Dimitrova

      Hi Vanessa,

      Can you provide more details on how the infection happened?

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...