Beware of phishing cybercriminals sending emails impersonating DHL

Beware of cybercriminals sending emails impersonating DHL

Image of a person typing on a laptop. Credit: Creative Commons

One of the most recent phishing scams involves cybercriminals impersonating parcel delivery service DHL.

As ESET Spain warned recently, there have been two similar phishing campaigns in which cybercriminals impersonated the courier company DHL with different techniques in which they spread the same threat.

According to the director of research and awareness from ESET, the main attack of this type continues to be the use of an email that impersonates this company and indicates to the victims that there has been an unsuccessful delivery of a package. Alternatively, the message informs the recipient that their package is arriving at a nearby warehouse.

The purpose of these e-mails is to gain the trust of the user so that they download the files that are attached. These files are compressed and their actual extension cannot be seen until they are uncompressed.

In one of the cases, an executable file appears and this is something that should draw the reader’s attention, since it is an indication that someone is trying to infect our device.

In the other case, they use the file extension .CHM, which is responsible for executing a script in PowerShell. This type of script is used by many cybercriminals to download an F37 JPG file that is located on a website that hosts malicious code.

If the user has started downloading this file, a security solution should normally be activated because the mail server itself classifies it as spam, even blocking the execution of this file.

Upon receipt of any of these emails, the DHL logo will be prominent, and the package number will appear. The message will indicate that there has been a failed package delivery attempt and that to see the tracking details you must consult the attached file. This is precisely where the malware resides.

In both cases, the malware has been analysed and corresponds to ‘Agent Tesla’, which has been around since 2014, and specialises in stealing the credentials of the applications that users use on a daily basis. The criminal group behind the phishing attack uses the personal data of its victims for its own purposes or sells it to other criminals to further spread threats.

According to ESET, this DHL impersonation campaign is especially aimed at Spanish users and a few cases have been detected in the rest of the European countries, and also in Japan. In order to not fall victim to this type of scam, internet users must be very careful and always make sure that the emails come from a reliable source. 


Thank you for taking the time to read this article, do remember to come back and check The Euro Weekly News website for all your up-to-date local and international news stories and remember, you can also follow us on Facebook and Instagram.

Written by

Chris King

Originally from Wales, Chris spent years on the Costa del Sol before moving to the Algarve where he is a web reporter for The Euro Weekly News covering international and Spanish national news. Got a news story you want to share? Then get in touch at