|
Threat actors have found a way to make phishing websites appear more legitimate by employing chatbots. The newly discovered tactic starts with an email about a delivery from DHL. When the victim clicks the link embedded in the email, they are redirected to a phishing site with automated chatbots that guide them into giving out sensitive information.
We took a closer look at the subdomain tagged as an indicator of compromise (IoC) and looked for similar threats targeting DHL and other top shipping and courier companies. Our findings include:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Trustwave, through Bleeping Computer, only cited one IoC—dhiparcel-management[.]support-livechat[.]24mhd[.]com. The subdomain hosts a DHL look-alike page where the chatbot resides. Here’s what we know about this IoC based on checks done through Threat Intelligence Platform (TIP):
While the IoC has already been flagged as malicious, more domains could be used in similar phishing campaigns. To stay on top of this threat, we expand our discovery process based on the lexical characteristic of the IoC. In particular, this refers to using “dhl” and its typo variants alongside strings, such as “parcel,” “management,” “support,” “live,” and “chat.”
We included FedEx, UPS, and Royal Mail, three other popular courier companies, to broaden threat hunting. We used the company names as search strings together with these terms:
We removed as many false positives as possible by excluding properties containing specific terms, such as “groups,” “backups,” and “upstart,” from our UPS sample. As a result, we discovered 5,133 domains and 5,633 subdomains.
Several cybersquatting resources contained the strings “track,” “support,” and “chat,” potentially targeting users tracking their packages and seeking support services. The strings “deliver,” “parcel,” and “manage” also took a significant percentage of the sample, followed by “package” and “ticket.”
Only about 32% of the sample actively resolved to IP addresses. Several were parked domain names. Still, some stood out mainly because of their questionable content. Some examples are shown below. Note that most of them have been flagged as malicious, yet they still host content that looks similar to the homepages of the targeted courier companies.
The two Royal Mail domains above are interesting since they haven’t been flagged as malicious. They also don’t redirect to the official Royal Mail website (royalmail[.]com). We still consider them suspicious since they don’t share the same registrant email address as royalmail[.]com. In addition, Royal Mail doesn’t seem to have a chat support service, according to their official Help pages (personal[.]help[.]royalmail[.]com and business[.]help[.]royalmail[.]com).
TIP detected that 557 properties, or about 5% of the sample, were malicious during a bulk malware check on 6 June 2022.
The automated threat that Trustwave detected may be carried out by domains and subdomains masquerading as support services of target courier companies. It’s vital to proactively search for cyber resources that can potentially be connected to this and other similar threats.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global