Sponsored by..

Wednesday 23 September 2015

Phish: "SHIPMENT LABEL" / "DHL Courier Services [roger@community.mile.org]"

This DHL-themed spam is actually a phishing email:

From:    DHL Courier Services [roger@community.mile.org]
To:   
Date:    23 September 2015 at 11:15
Subject:    SHIPMENT LABEL
Signed by:    community.mile.org

Dear customer,

Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.

The mailing label is attached in this email.Please print and show at the nearest DHL office to receive the shipment.

Thank you for using DHL services.


Princess Court 11
Wapping Ln,London,
E1W2DA,United Kingdom
Toll Free:+442075532200
Office Hours:9:00am-7:00pm
Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report).


If the potential victim clicks "Click here" then they are directed to ow.ly/Sq9to and from there to a phishing page at br1-update.be/wg/lhd.php on 64.20.51.22 (Inetserver Inc, US) which belongs to a netblock 64.20.51.16/29 which also looks highly suspect.


The phishing page itself is a complex script which is Base 64 encoded, then hex encoded (Pastebin here) which is presumably phishing for email accounts. The spam itself appears to have been sent from a compromised webmail account at community.mile.org

For the moment, I would suggest that the entire 64.20.51.16/29 range is malicious and should be blocked.

No comments: