Inside a Fake DHL Campaign Built to Steal Credentials
This threat is a consumer-targeted phishing campaign impersonating DHL to steal user credentials. It uses spoofed shipment notification emails and a fake OTP verification page to build trust, then directs victims to a DHL-branded credential harvesting portal. The campaign collects passwords and detailed victim telemetry such as IP address, device info, browser fingerprinting, and geolocation. Stolen data is exfiltrated via EmailJS to an attacker-controlled email address. The attack concludes by redirecting victims to the legitimate DHL website to avoid suspicion. The campaign leverages social engineering and brand impersonation without requiring technical exploits.
AI Analysis
Technical Summary
The campaign initiates with spoofed DHL shipment notification emails that lure victims into a multi-step phishing process. Victims encounter a client-side generated fake OTP verification page designed to create false trust. Subsequently, they are directed to a credential harvesting portal mimicking DHL's branding. The phishing kit captures not only passwords but also extensive telemetry data including IP addresses, device details, browser fingerprints, and geolocation. Exfiltration of harvested credentials is performed using EmailJS, a legitimate client-side email service, sending data to an attacker-controlled Tutamail address. The campaign ends by redirecting victims to the official DHL website, minimizing suspicion and increasing the likelihood of successful credential theft. This attack exploits social engineering and brand trust rather than technical vulnerabilities.
Potential Impact
Victims of this campaign risk having their DHL credentials and associated telemetry data stolen, which can lead to unauthorized access to their DHL accounts or reuse of credentials on other services. The collection of detailed telemetry data increases the potential for targeted follow-up attacks or identity theft. The campaign's use of legitimate services for exfiltration and redirection to the real DHL site reduces detection likelihood, increasing the success rate of credential theft. There are no known technical exploits involved, and no direct compromise of DHL systems is indicated.
Mitigation Recommendations
There is no patch or technical fix for this social engineering campaign. Users should be educated to recognize phishing emails, especially those impersonating DHL with unexpected shipment notifications and OTP requests. Organizations should warn customers about this specific campaign and advise verifying URLs and email senders carefully. Blocking or monitoring the identified malicious domains (perfectgoc.com, biotechgroup.net) and URLs can help reduce exposure. Since this is a phishing campaign, standard phishing awareness and email filtering controls are recommended. No vendor patch or official fix is applicable.
Indicators of Compromise
- domain: perfectgoc.com
- url: http://biotechgroup.net/
- domain: biotechgroup.net
Inside a Fake DHL Campaign Built to Steal Credentials
Description
This threat is a consumer-targeted phishing campaign impersonating DHL to steal user credentials. It uses spoofed shipment notification emails and a fake OTP verification page to build trust, then directs victims to a DHL-branded credential harvesting portal. The campaign collects passwords and detailed victim telemetry such as IP address, device info, browser fingerprinting, and geolocation. Stolen data is exfiltrated via EmailJS to an attacker-controlled email address. The attack concludes by redirecting victims to the legitimate DHL website to avoid suspicion. The campaign leverages social engineering and brand impersonation without requiring technical exploits.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The campaign initiates with spoofed DHL shipment notification emails that lure victims into a multi-step phishing process. Victims encounter a client-side generated fake OTP verification page designed to create false trust. Subsequently, they are directed to a credential harvesting portal mimicking DHL's branding. The phishing kit captures not only passwords but also extensive telemetry data including IP addresses, device details, browser fingerprints, and geolocation. Exfiltration of harvested credentials is performed using EmailJS, a legitimate client-side email service, sending data to an attacker-controlled Tutamail address. The campaign ends by redirecting victims to the official DHL website, minimizing suspicion and increasing the likelihood of successful credential theft. This attack exploits social engineering and brand trust rather than technical vulnerabilities.
Potential Impact
Victims of this campaign risk having their DHL credentials and associated telemetry data stolen, which can lead to unauthorized access to their DHL accounts or reuse of credentials on other services. The collection of detailed telemetry data increases the potential for targeted follow-up attacks or identity theft. The campaign's use of legitimate services for exfiltration and redirection to the real DHL site reduces detection likelihood, increasing the success rate of credential theft. There are no known technical exploits involved, and no direct compromise of DHL systems is indicated.
Mitigation Recommendations
There is no patch or technical fix for this social engineering campaign. Users should be educated to recognize phishing emails, especially those impersonating DHL with unexpected shipment notifications and OTP requests. Organizations should warn customers about this specific campaign and advise verifying URLs and email senders carefully. Blocking or monitoring the identified malicious domains (perfectgoc.com, biotechgroup.net) and URLs can help reduce exposure. Since this is a phishing campaign, standard phishing awareness and email filtering controls are recommended. No vendor patch or official fix is applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft"]
- Adversary
- null
- Pulse Id
- 69f11f15737a6a70e077e9d7
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainperfectgoc.com | — | |
domainbiotechgroup.net | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://biotechgroup.net/ | — |
Threat ID: 69f1adeecbff5d8610b7f22f
Added to database: 4/29/2026, 7:06:22 AM
Last enriched: 4/29/2026, 7:23:05 AM
Last updated: 4/29/2026, 10:15:05 PM
Views: 68
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.