Threat Insights
Rating Criteria
Among various malicious email types, brand impersonation in phishing attacks consistently ranks as the most prevalent. Notably, the logistics company DHL is positioned as one of the most targeted brands in this category. This article will introduce brand impersonation phishing attacks and analyze a DHL impersonation email intercepted by Cellopoint.
The image above shows the fraudulent DHL phishing email we will be examining in this article. This email notifies the recipient that the package reached the post office on January 1, 2024. However, because of inaccurate delivery details, the courier is unable to complete the delivery. To claim the parcel, the recipient is instructed to click on the provided hyperlink.
Upon analyzing both the email content and source code, the following anomalies can be identified in this email:
The sender's display name is "DHL-Express_Team," but the email address which is "bayer@chongolin.shop" does not match DHL's official email address.
Although the email passes DMARC and SPF checks, the sender domain differs from the official DHL domain, suggesting an attempt to make the email appear legitimate when it is not.
Further analyzing the sender's email domain "chongolin.shop" on who.is reveals a registration date of 2023/9/24, indicating a recent registration possibly for spam purposes.
Upon clicking the hyperlink it directs the recipient to this link "https://kecikekurisi.com/.well-known/pki-validation/control_ikb.html?login=ted.chen@cellopoint.com&vcnt=100&pcnt=3&page=_dhl&pmax=pmax" , then it will be redirected to this link "https://sunbrightasset.nl/_stalingrad_oxy/zure/b3b32a2d422265cd25c3323ed0157f81/_dhI/login.php?login&_x_tr_sl=auto&_x_tr_tl=null&_x_tr_hl=null&_x_tr_pto =wapp&pcnt=3&pmax=pmax」Both links do not originate from the official DHL domain but from an unknown domain.
The link before redirecting includes the recipient's email address "ted.chen@cellopoint.com" in its path, which is considered a highly suspicious pattern in phishing.
The redirected screen shown in the image above is a phishing website that looks like the genuine DHL homepage, but if you pay attention, you'll notice it's not from the official DHL website domain.
The recipient's email address is autofilled in the email address field on the login page. This is an attempt to prompt the recipient to enter their login password, intending to deceive and obtain their login information.
Cellopoint promptly intercepted and identified this email as malicious due to the detection of the following patterns:
This email was sent in bulk.
Cellopoint's Inbound Email Threat Protection, with the Anti-spam module, detects patterns in malicious emails, like this one, through a comprehensive analysis that combines IP detection, sender IP reputation, and other mechanisms. Cellopoint identified this email as phishing after scanning.
Cellopoint's Inbound Email Threat Protection, with the Anti-APT-URL module, can detect this email contains suspicious links from an unfamiliar sender. Therefore, it is detected as a high-risk email.
Cellopoint's Inbound Email Threat Protection, with the Anti-BEC module which includes brand impersonation detection mechanism, identified that the sender's display name in this email resembles DHL's. The email's pattern is considered malicious and in addition to that, this email contains a suspicious link from an unfamiliar sender, therefore this email is labeled as brand impersonation.
Tips to Protect Against Brand Impersonation Phishing Emails:
Enhance email security awareness through training, simulations, and robust management for organizations and individuals.
Implement a reputable email security provider, such as Cellopoint, for a real-time and reliable defense against malicious emails.
If you doubt the legitimacy of an email, confirm on the official website or contact the relevant local authorities or fraud hotline for verification.
Check DHL's fraud awareness page (https://www.dhl.com/tw-zh/home/footer/fraud-awareness.html) for official guidance on verifying the authenticity of emails claiming to be from DHL.