Postal services and packet delivery phishing emails are perhaps the most common schemes among phishing attacks. Attackers are typically utilizing big names, like DHL and UPS in these attacks, but it is not uncommon that they exploit national postal services for crafting phishing messages.
How do postal service and package delivery attacks work?
Imagine that you’ve ordered something online and it will be delivered to you by DHL. You receive an email from DHL with package tracking information, and since you are so anxiously waiting for your cool new thing, you click the link without thinking twice. The landing page looks exactly like the real DHL page and it requests either your login credentials or credit card information. It might also persuade you to download something — like a package tracking document.
Once you’ve entered your credentials or downloaded the document, you’ll see that a package with a random ID is in delivery status. You won’t even question it as this has to be the package you are waiting for.
Yay! The package is in delivery and will soon be here! Can’t wait!
Let’s take a closer look:
The email was not really sent from DHL, but from an email like [email protected].
At first, this may not raise any alarms since it sounds and looks legit. However, when searching a WHOIS* record for this domain DHL-delivery-emails.com, it will reveal that it is not really owned by Deutsche Post.
(*WHOIS is a query and response protocol for domain information. There are plenty of free and easy search tools online to check this information.)
The emails were not sent from DHL. You may wonder what about the landing page? Well, it was not a real one either. Looking at the URL field in the browser shows the following: https://dhl24672.000webhostapp.com
DHL is mentioned in this URL, but the actual domain is the last one: 000webhostapp.com. Let’s make a quick Google search for this domain:
Free website hosting! This does not sound like something a big company like DHL would use.
What just happened?
After seeing the package tracking information, you happily closed the document and the landing page and continue waiting for your order. You may not necessarily notice it for some days, but you just lost the first round to attackers. Whether it was your email credentials, credit card information, or malware you just downloaded – the name of the next round is exploiting. If you were not awake and careful in the first round, you will definitely get first row seats for the second one.
Additional material from real phishing attacks
Cybercriminals are neither stupid nor so-called script kids playing with computers in their parents’ basements like they were back in the day. It´s a trillion-dollar business. There are always very poorly done attacks too that are being mass-mailed to millions of recipients. Among these poorly crafted attacks, there are quite a few precisely targeted ones we too frequently see.
Precise targeting strongly applies to postal service related attacks. Attackers commonly utilize big companies like DHL and UPS since they operate globally. However, targeting phishing attacks according to the most popular postal service in a particular country surely yields the best results. Very often these are national postal services.
Here is a collection of postal service-related phishing attacks:
An accurate fake webpage of the main Finnish postal service, Posti.
In this attack, a 1€ fee is required for the package to be delivered. In reality, the victims’ credit card information is stolen and a lot more money will disappear from the victims’ bank accounts.
This attack is delivered by email and SMS, and it is targeting people living in Finland.
The same attack tactic is used in the name of other postal services: