HackRead reports that threat actors have spoofed DHL in a new phishing campaign that employed a multi-step attack chain to siphon users' passwords.Malicious emails purporting to be from DHL Express sent from the cupelva[.]com domain included a button to confirm waybill details that redirected to a fraudulent parcel OTP page that not only displays a JavaScript-generated six-digit number but also features a two-second lag in an attempt to copy legitimate data processing procedures, according to findings from the Forcepoint X-Labs research team. URL-based identity injection is then harnessed to copy the victim's email address to the final DHL login portal, enabling password theft and the subsequent harvesting of device telemetry information. Attackers proceeded to use the EmailJS tool to exfiltrate the obtained data, while the phishing kit redirects victims to the real DHL site to avert suspicion."The campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victims guard before the actual theft begins," said researchers.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds