Threat actors have found a way to make phishing websites appear more legitimate by employing chatbots. The newly discovered tactic starts with an email about a delivery from DHL. When the victim clicks the link embedded in the email, they are redirected to a phishing site with automated chatbots that guide them into giving out sensitive information.

We took a closer look at the subdomain tagged as an indicator of compromise (IoC) and looked for similar threats targeting DHL and other top shipping and courier companies. Our findings include:

• A dozen connected domains sharing the IoC’s IP address
• More DHL-targeted subdomains sharing the IoC’s root domain
• 10,000+ cybersquatting domains and subdomains targeting DHL, FedEx, UPS, and Royal Mail that contain text strings used in the IoC
• 500+ malicious properties detected by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the IoC

Trustwave, through Bleeping Computer, only cited one IoC—dhiparcel-management[.]support-livechat[.]24mhd[.]com. The subdomain hosts a DHL look-alike page where the chatbot resides. Here’s what we know about this IoC based on checks done through Threat Intelligence Platform (TIP):

• 24mhd[.]com has another subdomain targeting DHL—dhl[.]com-contact[.]24mhd[.]com.
• The IoC resolves to 62[.]210[.]137[.]157, which is shared by only 11 other cyber resources, one of which has been reported as malicious. The few IP-connected domains could mean that this is a dedicated IP address.
• The IP address is geolocated in France and assigned to Scaleway, a French web hosting provider.
• The root domain uses a recently obtained Secure Sockets Layer (SSL) certificate, which supports suboptimal cipher suites and does not force HTTPS connections.

Uncovering Potentially Connected Domains

While the IoC has already been flagged as malicious, more domains could be used in similar phishing campaigns. To stay on top of this threat, we expand our discovery process based on the lexical characteristic of the IoC. In particular, this refers to using “dhl” and its typo variants alongside strings, such as “parcel,” “management,” “support,” “live,” and “chat.”

We included FedEx, UPS, and Royal Mail, three other popular courier companies, to broaden threat hunting. We used the company names as search strings together with these terms:

• “parcel”
• “support”
• “chat”
• “ticket”
• “package”
• “manage”
• “track”
• “deliver”

We removed as many false positives as possible by excluding properties containing specific terms, such as “groups,” “backups,” and “upstart,” from our UPS sample. As a result, we discovered 5,133 domains and 5,633 subdomains.

Several cybersquatting resources contained the strings “track,” “support,” and “chat,” potentially targeting users tracking their packages and seeking support services. The strings “deliver,” “parcel,” and “manage” also took a significant percentage of the sample, followed by “package” and “ticket.”

Types of Content Hosted on the Cybersquatting Properties

Only about 32% of the sample actively resolved to IP addresses. Several were parked domain names. Still, some stood out mainly because of their questionable content. Some examples are shown below. Note that most of them have been flagged as malicious, yet they still host content that looks similar to the homepages of the targeted courier companies.

The two Royal Mail domains above are interesting since they haven’t been flagged as malicious. They also don’t redirect to the official Royal Mail website (royalmail[.]com). We still consider them suspicious since they don’t share the same registrant email address as royalmail[.]com. In addition, Royal Mail doesn’t seem to have a chat support service, according to their official Help pages (personal[.]help[.]royalmail[.]com and business[.]help[.]royalmail[.]com).

Malicious Cybersquatting Property Alert

TIP detected that 557 properties, or about 5% of the sample, were malicious during a bulk malware check on 6 June 2022.

The automated threat that Trustwave detected may be carried out by domains and subdomains masquerading as support services of target courier companies. It’s vital to proactively search for cyber resources that can potentially be connected to this and other similar threats.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.