Holiday shopping is in full swing and for many people, that means their inboxes are inundated with shipping notifications. Attackers utilize shipping themed attack vectors year-round but never so often as during the holiday season.  These are effective lures for threat actors to either deliver malware or harvest credentials from unsuspecting users.

One very convincing shipping themed phishing variant observed recently stood out as it was particularly well crafted. This attack would easily pass they eye test given the convincing wording and visuals of both the email, as well as the phishing page.

As we have seen quite frequently in a variety of phishing attacks over the past several months, ipfss.]com is being leveraged to host this DHL branded credential harvesting page.

This example happened to be DHL themed, but these are frequently observed posing as USPS, UPS, FedEx etc. And not only is this a very popular social engineering tactic in credential harvesting attacks but also with malware distributors.

For example, we recently spotted the information stealing malware DarkCloud spoofing FedEx and utilizing i.]dda files (Direct Access Archive, or DAA). The attachment poses as a means to confirm the shipment but instead delivers the DarkCloud payload. 

We all need to be extremely vigilant this time of year with regards to shipping related emails. If you get an email with a call to action or reporting a delivery issue it is best to navigate to any packages in motion via the seller’s portal or at least the original email notification from the seller notifying you that the shipment is in route.