Checkpoint researchers identified DHL as the most-imitated brand in phishing campaigns at the end of 2021. We sought to find if that will remain the case this year by looking at various intelligence sources. Our analysis revealed that:

• 6,110 domains and 9,371 subdomains containing the string “dhl” were registered from 1 January to 31 December 2021.
• Of the more than 15,000 web properties with “dhl,” only four were owned by DHL.
• Of the total volume of domains and subdomains, 747 were malicious.
• 50 words commonly appeared with “dhl” in the malicious domains and subdomains.

1,518 web properties (more than the 2021 monthly average) with the company’s name have already made their way into the DNS just this month.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

Analysis and Findings

The first step we took was to obtain a list of domains and subdomains containing the string “dhl” that were registered throughout 2021. Our Domains & Subdomains Discovery search gave us 6,1010 domains and subdomains. Examples of the web properties in our initial dataset are shown in the table below.

We obtained the WHOIS records of the more than 15,000 digital properties in our dataset and found that only four were owned by DHL. These domains are:

• dhlexpress[.]jp
• dhlexpress[.]pt
• mydhl[.]jp
• mydhlfreight[.]lv

We used the company’s registrant email address (obtained from a WHOIS lookup) as a search term for the results of our bulk WHOIS lookup on the dataset. That could mean that a majority of the domains and subdomains is typosquatting on the brand’s popularity. It also reaffirms Checkpoint’s finding—that DHL was the most-phished brand last year.

We then subjected the 15,000+ web properties to a bulk malware check via the Threat Intelligence Platform (TIP). The results showed that 292 domains and 455 subdomains were dubbed “dangerous” by various malware engines. Examples of the digital properties that users should avoid accessing at all costs are listed in the table below.

The results coincide with Checkpoint’s researchers findings as well—that DHL service subscribers should be wary of the pages they interact with. Some of them could be part of phishing attacks.

A closer look at the malicious digital properties also revealed terms that were commonly used with DHL in domain and subdomain names. Monitoring URLs for these strings could serve as an additional layer of protection against phishing attempts.

DHL customers who don’t want to become the next victims should be wary of domains and subdomains with the following string combinations:

• dhl + parcel
• dhl + express
• dhl + track/tracking/tracker
• dhl + pack/packet/package/packaging
• dhl + pay/payment
• dhl + deliver/delivery/delivering
• dhl + service
• dhl + online
• dhl + secure/security
• dhl + order

One or more of the strings featured in the word cloud above appeared in combination with “dhl” in the malicious domains and subdomains.

Will DHL Remain a Top Contender for the Most-Imitated Brand in 2022

As of 31 January 2022, 331 domains and 1,187 subdomains (totaling 1,518) containing the string “dhl” were registered. The average number of newly registered DHL domains and subdomains in 2021 were 509 and 780, respectively, accounting for a total of 1,289. Comparing the numbers, we can say that if the January 2022 registration volume holds its pace, then DHL may be the 2022 top phishing target.

Individuals and companies alike, especially those who rely heavily on DHL’s services, would benefit from the analysis and findings presented in this post. Avoiding the featured malicious web properties is critical if they wish to avoid becoming the next phishing victims.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.