DHL Phishing Campaign with Global reach
I've just received a new DHL Phishing Email. Nothing new, delivery phishing emails are some of the most common.
A bunch of typical indicators in this phish. Firstly The DHL Logo is different from the real logo. It also claims to be from DHL via the email address email@example.com (not sure why they didn't masquerade as a DHL domain) when in reality it comes from an email address firstname.lastname@example.org. Looking at the link, it takes me to a suspect .icu domain. With the request tagging some information along with my email address.
I received a similar email with again another .icu domain, this time http://trk-xymdeftzqh.icu, so they obviously have a bunch at their disposal.
When Executing the link, things start getting interesting. Firstly it takes me to a non-secure site called billing-confirmation.info. It looks to be a fake inventory shipping software site to entice the victim to try/buy the product.
Accessing the page a second time, it tagged me as originating from a different country and indeed gave me the Spanish version but of a different product, but you can see the format of the site is the same:
This is a common method used by attackers and indeed by my team on security engagements as well. We utilise Embraco for some our Phishing engagements and its CMS capabilities which is designed to do exactly this, provide multiple different sites and 'products' depending on the visitor. I made a slight change in the web request to be different from my address it was sent to and instead used email@example.com:
It looks like the attacker has tagged different email addresses to different phishing and product based websites. Changing the email address sent me to orderhive.com
Now lets look at the app.any.run sandbox results.
First up, we can see that by clicking on the link, it makes 21 HTTP requests, 82 Connections and 62 DNS Requests.
Reviewing the chrome request, we can see that the goal of the attacker was not to grab credentials, but indeed to compromise the victims machine. Next we can see all the details of the web request below, it tags you to the particular campaign in their CMS and your other details. Then what it does is modify files in your chrome extensions folder and makes a bunch of registry changes.
Testing it with the less secure internet browser, we can see below, it takes us to yet another different web page on the same domain!
Clicking the Check-Now or waiting for a period, we can see that it actually launches a drive-by-download attack to leverage a Flash based attack/exploit to compromise the victim!
By default, chrome and Edge will block Flash which does make it more secure than Internet Explorer. Researching via google, it looks like a bunch of other people have seen these attacks too and have tested this in their sandboxes:
Lessons to learn from this attack:
* You should never ever follow links in parcel delivery emails, if you are expecting a parcel, always go direct to the website.
* Leverage Chrome or Edge for web browsing, not IE, as these are more secure.
* Attackers do run multiple Phishing campaigns against users via the same web servers and domain
* Always check for the standard Phishing email indicators
* If in doubt throw it out.
Until next time stay Hack Proof! and vigilant for these types of emails.