Sponsored by..

Showing posts with label DHL. Show all posts
Showing posts with label DHL. Show all posts

Wednesday 23 September 2015

Phish: "SHIPMENT LABEL" / "DHL Courier Services [roger@community.mile.org]"

This DHL-themed spam is actually a phishing email:

From:    DHL Courier Services [roger@community.mile.org]
To:   
Date:    23 September 2015 at 11:15
Subject:    SHIPMENT LABEL
Signed by:    community.mile.org

Dear customer,

Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.

The mailing label is attached in this email.Please print and show at the nearest DHL office to receive the shipment.

Thank you for using DHL services.


Princess Court 11
Wapping Ln,London,
E1W2DA,United Kingdom
Toll Free:+442075532200
Office Hours:9:00am-7:00pm
Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report).


If the potential victim clicks "Click here" then they are directed to ow.ly/Sq9to and from there to a phishing page at br1-update.be/wg/lhd.php on 64.20.51.22 (Inetserver Inc, US) which belongs to a netblock 64.20.51.16/29 which also looks highly suspect.


The phishing page itself is a complex script which is Base 64 encoded, then hex encoded (Pastebin here) which is presumably phishing for email accounts. The spam itself appears to have been sent from a compromised webmail account at community.mile.org

For the moment, I would suggest that the entire 64.20.51.16/29 range is malicious and should be blocked.

Tuesday 7 October 2014

DHL-themed phish goes to a lot of effort and then spoils it with Comic Sans

This DHL-themed phish is trying to harvest email credentials, but instead of just spamming out a link, it spams out a PDF file with the link embedded in it.

Date:     6 October 2014 23:32
Subject:     Package has been sent.

Your shipment(s) listed below is scheduled for delivery on Thursday next week.

Scheduled Delivery Date: Thursday, 10/09/2014

Shipment 2

Shipper: ADIHASAN GROUP

Kindly please see attached file for shipment /delivery details and tracking procedure. You can also request a delivery change (e.g. reschedule or reroute) from the tracking detail.

Approximate Delivery Time: between 3:00 PM and 7:00 PM
DHL Service: DHL 2nd Day Air

We are pleased to provide you with delivery that fits your life.

© 2014 Parcel Service of the World. DHL, the DHL brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
All trademarks, trade names, or service marks that appear in connection with UPS's services are the property of their respective owners.
For more information on DHL's privacy practices, refer to the DHL Privacy Notice.
Please do not reply directly to this e-mail. DHL will not receive any reply message.
For questions or comments, visit Contact DHL.

This communication contains proprietary information and may be confidential.  If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
DHL My Choice Service Terms
Contact DHL

Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.

So far, so professional. And a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to 37.61.235.199/~zantest/doc1/dhlweb0002/webshipping_dhl_com_members_modulekey_displaycountrylist_id5482210003804452/DHL/index.htm where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.

With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile.

Wednesday 10 September 2014

Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com] invoice spam has a malicious attachment

Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simple be deleted.

From:     Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com]
Date:     10 September 2014 10:35
Subject:     FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid


Dear Sir.

The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.

Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm


Postboks 154 Leirdal
NO-1009 OSLO
NORWAY

Direct line:        + 47 90 95 58 26
Fax:                  + 47 64 00 71 87
Mobile:             + 47 90 78 52 44




Dear Sir.

The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.

Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust

Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events

Messeveien 14
2004 Lillestrøm


Postboks 154 Leirdal
NO-1009 OSLO
NORWAY

Direct line:       
+ 47 90 95 58 26
Fax:                  + 47 64 00 71 87
Mobile:             +
47 90 78 52 44

Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54.

The Comodo CAMAS report  shows an attempted connection to voladora.com/Imagenes/qaws.cab  which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending, I will update the post if I find more information.

UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53. The ThreatTrack report [pdf] and Anubis report shows the malware performing lookups for a variety of domain names [pastebin] which are not currently resolving, but might be worth blocking.

Tuesday 23 April 2013

DHL Spam / DHL-LABEL-ID-2456-8344-5362-5466.zip

This fake DHL spam has a malicious attachment.

Date:      Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
From:      Ramon Brewer - DHL regional manager [reports@dhl.com]
Subject:      DHL DELIVERY REPORT NY73377
   
Web Version  |  Update preferences  |  Unsubscribe
       
DHL notification

Our company’s courier couldn’t make the delivery of parcel.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
DHL Global
                   

Edit your subscription | Unsubscribe

Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45.

Checksums are as follows:
MD585f908a5bd0ada2d72d138e038aecc7d
SHA1017e82b1074dd210c0c41c8129d81e577d3c121b
SHA256bb60e72387030c957226e173de173a97241dec0a46c1d4aa3194ecd0257d185b

Whatever this is, it seems to be hard to analyse with automated tools. Comodo CAMAS does report the following registry key being created, which may help to clean up any infections.

NameTypeSizeValue
LM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSchedREG_SZ96"C:\Documents and Settings\All Users\svchost.exe"

Tuesday 26 March 2013

DHL Spam / LABEL-ID-NY26032013-GFK73.zip

This DHL-themed spam contains a malicious attachment.

Date:      Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From:      Bart Whitt - DHL regional manager [reports@dhl.com]
Subject:      DHL delivery report NY20032013-GFK73
   
Web Version  |  Update preferences  |  Unsubscribe
       

DHL notification

Our company’s courier couldn’t make the delivery of parcel.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
DHL Global
   
       
Edit your subscription | Unsubscribe

Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).

VirusTotal detections for this malware are low (7/46). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.

Update:  Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here.