Package delivery services to both business and home are common events in this age of online commerce. Services like UPS, DHL and Fedex deliver thousands of packages daily. To compete, these services use email to provide customers with package tracking and problem resolution. These correspondences are low hanging fruit for phishers.
Today's example is a recent attack against DHL that was crafted well enough to initially evade desktop and gateway antispam measures.
The subject line, About your package with DHL, is intended to raise curiosity.
The sender contains the string dhllogistics. Phishers know that users often read only what they expect or want to see and exploit familiar brands. In this case, the phisher also includes both this string and onmicrosoft to make the email address credible.
The message draws victims into the phishing scam by claiming that an attempt to deliver a package failed. This is the lure: the composition of this message is similar to typical correspondence from delivery services: you want the package so you'll oblige DHL by reading the attachment.
The phisher further attempts to make the message credible by including a confidentiality caution: why would such a statement be present if the mail weren't legitimate!
A trojan PDF
The hook to this phish is the attachment, DHL.pdf, which the recipient opens if they click on "Here".
In my phishing awareness training, I encourage our users to
- Be suspicious of any attachment
- Contact IT to report the suspicious email
- Upload the attachment to service like VirusTotal to see whether this file has been analyzed.
In this case, the file had indeed been analyzed and reported as a phish. You can copy-paste the image hyperlink below to read the full report.
To learn how a phish of this kind works, I often submit one of VirusTotal's Results to a search engine (here, PDF_MALPHISH.BYX), or I'll visit the Antivirus vendor and search its threat encyclopedia. In this case, I find from Trend Micro that the attachment is a trojan. When a victim opens the attachment, he is directed to a fake Adobe site where he's asked to disclose login information to "unlock" the secure PDF file. Again, you can copy-paste the image hyperlink below to read the full report.
Be suspicious. Don't click on embedded links or open attachments if you have the least suspicion about the message. Report suspicious email to your IT staff or to the Anti Phishing Working Group reporting page.
Lastly, take the opportunity that your suspicion creates to conduct a simple investigation of the kind I've illustrated here. Spam and phishing are constantly evolving to cause users to react without thinking or investigating. A few minutes invested over time will make you informed, aware, and more resilient to phishing or spam.