Lending Clarity to Security Risk Definitions - for ICANN Community and Beyond
Clever Malware Names: Feeding the Propensity to Ignore Systemic Issues

Is it spam? DHL package delivery phishing

DHLphishPackage delivery services to both business and home are common events in this age of online commerce. Services like UPS, DHL and Fedex deliver thousands of packages daily. To compete, these services use email to provide customers with package tracking and problem resolution. These correspondences are low hanging fruit for phishers.

Today's example is a recent attack against DHL that was crafted well enough to initially evade desktop and gateway antispam measures.  

The subject line, About your package with DHL, is intended to raise curiosity. 

The sender contains the string dhllogistics. Phishers know that users often read only what they expect or want to see and exploit familiar brands. In this case, the phisher also includes both this string and onmicrosoft to make the email address credible. 

The message draws victims into the phishing scam by claiming that an attempt to deliver a package failed. This is the lure: the composition of this message is similar to typical correspondence from delivery services: you want the package so you'll oblige DHL by reading the attachment.

The phisher further attempts to make the message credible by including a confidentiality caution: why would such a statement be present if the mail weren't legitimate!

A trojan PDF

The hook to this phish is the attachment, DHL.pdf, which the recipient opens if they click on "Here". 

In my phishing awareness training, I encourage our users to

  • Be suspicious of any attachment
  • Contact IT to report the suspicious email 
  • Upload the attachment to service like VirusTotal to see whether this file has been analyzed.

In this case, the file had indeed been analyzed and reported as a phish. You can copy-paste the image hyperlink below to read the full report.


To learn how a phish of this kind works, I often submit one of VirusTotal's Results  to a search engine (here, PDF_MALPHISH.BYX), or I'll visit the Antivirus vendor and search its threat encyclopedia. In this case, I find from Trend Micro that the attachment is a trojan. When a victim opens the attachment, he is directed to a fake Adobe site where he's asked to disclose login information  to "unlock" the secure PDF file. Again, you can copy-paste the image hyperlink below to read the full report.



Be suspicious. Don't click on embedded links or open attachments if you have the least suspicion about the message. Report suspicious email to your IT staff or to the Anti Phishing Working Group reporting page.

Lastly, take the opportunity that your suspicion creates to conduct a simple investigation of the kind I've illustrated here. Spam and phishing are constantly evolving to cause users to react without thinking or investigating. A few minutes invested over time will make you informed, aware, and more resilient to phishing or spam.



Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)