Researchers from Forcepoint’s X-Labs team recently found a phishing campaign designed to steal login credentials from users. In this campaign, what grabbed researchers’ attention was that the threat actors used the DHL brand name to trick users into revealing their passwords through an 11-step attack chain.
The Email Lure
The campaign begins with a spoofed email that appears to be from DHL Express with this subject line: “DHL EXPRESS WAYBILL CONFIRMATION REQUIRED,” asking the victim to confirm a waybill or shipment. According to researchers, there’s a huge giveaway of a scam as the display name is DHL EXPRESS, whereas the sender domain is cupelva.com. This means the email passed DKIM authentication for the attacker’s domain, which helps it bypass some security filters.
Upon clicking the link, the victim is sent to a fake parcel OTP page at perfectgoc.com. This page shows a fake verification step that displays a six-digit number generated locally by JavaScript. Researchers noted that this isn’t a real security check because the system doesn’t send an SMS or email, and instead, asks the user to type in the number appearing on their screen to generate a false sense of trust. This page also includes a two-second delay to mimic real data processing.
“The campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victim’s guard before the actual theft begins,” Forecepoint researchers explained in the blog post, shared with Hackread.com.
Data Theft Methods
The scammers use URL-based identity injection to carry the victim’s email address from the email to the final login page. This step ensures the fake DHL login portal is already filled with the user’s email, making it look more legitimate.
This is the stage where the user’s password is stolen. The phishing kit now proceeds to steal the device’s telemetry data, including the public IP address, device type, operating system, browser version, and even finds the user’s city and country via geolocation scan. All of this data is stored in the local storage of the browser before it is moved off the device.
Fake shipment notice, the fake OTP page, and the credential-stealing page (Source: Forcepoint)
Data Exfiltration
As per X-Labs’ research, a tool called EmailJS is used to move the stolen data. This is a legitimate service that allows the phishing kit to send emails directly from the browser to the attackers. This method reduces the need for hackers to maintain their own complex servers. Researchers also observed that the stolen data was sent to a specific mailbox- [email protected].
When the attack is complete, the kit redirects the victim to the actual DHL website to prevent them from becoming suspicious. By landing on the real site, they might assume their login was successful.
Researchers noted that this lightweight kit is effective because it focuses on user trust rather than complex malware, and protection from this threat involves blocking the weaponised URLs and being mindful of the specific attacker mailbox used in the campaign.
