NordVPN Promotion

Home / Industry

DHL Was the Most-Phished Company in 2021, Will That Be True in 2022, Too?

Checkpoint researchers identified DHL as the most-imitated brand in phishing campaigns at the end of 2021. We sought to find if that will remain the case this year by looking at various intelligence sources. Our analysis revealed that:

  • 6,110 domains and 9,371 subdomains containing the string “dhl” were registered from 1 January to 31 December 2021.
  • Of the more than 15,000 web properties with “dhl,” only four were owned by DHL.
  • Of the total volume of domains and subdomains, 747 were malicious.
  • 50 words commonly appeared with “dhl” in the malicious domains and subdomains.

1,518 web properties (more than the 2021 monthly average) with the company’s name have already made their way into the DNS just this month.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

Analysis and Findings

The first step we took was to obtain a list of domains and subdomains containing the string “dhl” that were registered throughout 2021. Our Domains & Subdomains Discovery search gave us 6,1010 domains and subdomains. Examples of the web properties in our initial dataset are shown in the table below.

Sample DomainsSample Subdomains
dhldhldhl[.]ws
dhl-dhl-dhl[.]de
dhldhl[.]cc
ldhldhldh[.]xyz
mydhlexpressdhldhl[.]pro
dhl[.]yt
dhl[.]ml
dhl[.]vc
dhl[.]xn—fiqs8s
xn—hl-pma[.]vn
dhl[.]alnaqlon[.]com
dhl[.]paysout[.]ru
dhl[.]paydinfo[.]online
dhl[.]mohr[.]health
dhl[.]express-delvery[.]me
dhl[.]hktrack[.]co
dhl[.]pay-id14354[.]pw
dhl[.]secure-payments[.]online
dhl[.]parcel1-mobil[.]com
dhl[.]dhltransport[.]de
dhl[.]syc5521[.]com

We obtained the WHOIS records of the more than 15,000 digital properties in our dataset and found that only four were owned by DHL. These domains are:

  • dhlexpress[.]jp
  • dhlexpress[.]pt
  • mydhl[.]jp
  • mydhlfreight[.]lv

We used the company’s registrant email address (obtained from a WHOIS lookup) as a search term for the results of our bulk WHOIS lookup on the dataset. That could mean that a majority of the domains and subdomains is typosquatting on the brand’s popularity. It also reaffirms Checkpoint’s finding—that DHL was the most-phished brand last year.

We then subjected the 15,000+ web properties to a bulk malware check via the Threat Intelligence Platform (TIP). The results showed that 292 domains and 455 subdomains were dubbed “dangerous” by various malware engines. Examples of the digital properties that users should avoid accessing at all costs are listed in the table below.

Sample Malicious DomainsSample Malicious Subdomains
dhl-dhl-dhl[.]de
dhldhl[.]cc
e-dhl[.]cc
dhl[.]rest
ca-dhl[.]co
dhl-ch[.]me
dhl-hk[.]cc
dhl[.]parts
dhl-il[.]cc
uae-dhl-trackingdhl[.]com
dhl[.]paysout[.]ru
dhl[.]parcel1-mobil[.]com
dhl[.]ru-onlinepay[.]pw
dhl[.]safe-delivery[.]icu
dhl[.]demande-delivery[.]eu
dhl[.]reschedule-review[.]com
dhl[.]web-pay[.]info
dhl[.]m-reserv[.]info
dhl[.]payprotection[.]ru
dhl[.]contactinfoo[.]com

The results coincide with Checkpoint’s researchers findings as well—that DHL service subscribers should be wary of the pages they interact with. Some of them could be part of phishing attacks.

A closer look at the malicious digital properties also revealed terms that were commonly used with DHL in domain and subdomain names. Monitoring URLs for these strings could serve as an additional layer of protection against phishing attempts.

DHL customers who don’t want to become the next victims should be wary of domains and subdomains with the following string combinations:

  • dhl + parcel
  • dhl + express
  • dhl + track/tracking/tracker
  • dhl + pack/packet/package/packaging
  • dhl + pay/payment
  • dhl + deliver/delivery/delivering
  • dhl + service
  • dhl + online
  • dhl + secure/security
  • dhl + order

One or more of the strings featured in the word cloud above appeared in combination with “dhl” in the malicious domains and subdomains.

Will DHL Remain a Top Contender for the Most-Imitated Brand in 2022

As of 31 January 2022, 331 domains and 1,187 subdomains (totaling 1,518) containing the string “dhl” were registered. The average number of newly registered DHL domains and subdomains in 2021 were 509 and 780, respectively, accounting for a total of 1,289. Comparing the numbers, we can say that if the January 2022 registration volume holds its pace, then DHL may be the 2022 top phishing target.


Individuals and companies alike, especially those who rely heavily on DHL’s services, would benefit from the analysis and findings presented in this post. Avoiding the featured malicious web properties is critical if they wish to avoid becoming the next phishing victims.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

NordVPN Promotion