Phishing Campaign Impersonates DHL to Steal Credentials via Fake OTP Scheme Researchers at Forcepoint’s X-Labs uncovered a sophisticated phishing campaign leveraging the DHL brand to harvest login credentials through an 11-step attack chain. The operation begins with a spoofed email bearing the subject line “DHL EXPRESS WAYBILL CONFIRMATION REQUIRED,” falsely prompting recipients to verify a shipment. While the display name appears as DHL EXPRESS, the sender domain cupelva.com reveals the deception, though the email bypasses some security filters by passing DKIM authentication for the attacker’s domain. Victims who click the embedded link are directed to a fake parcel verification page hosted at perfectgoc.com, where a locally generated six-digit "OTP" is displayed via JavaScript. Unlike legitimate two-factor authentication, this step does not involve SMS or email delivery; instead, users are instructed to input the on-screen code, creating a false sense of security. A deliberate two-second delay mimics real processing, further enhancing the illusion. Forcepoint researchers emphasized that this tactic targeting individuals without geographic or organizational focus relies on psychological manipulation rather than technical complexity to lower victims’ defenses. The attack employs URL-based identity injection to pre-fill the victim’s email address on a counterfeit DHL login portal, increasing perceived legitimacy. Once credentials are entered, the phishing kit exfiltrates additional telemetry data, including the user’s public IP, device type, OS, browser version, and geolocation (city/country). This data is temporarily stored in the browser’s local storage before being transmitted. For data exfiltration, the attackers use EmailJS, a legitimate service that enables direct browser-to-email transfers, eliminating the need for dedicated command-and-control infrastructure. Stolen information is sent to the attacker-controlled mailbox [email protected]. Upon completion, victims are redirected to DHL’s authentic website, reducing suspicion by simulating a successful login. Forcepoint noted the campaign’s effectiveness stems from its focus on social engineering over malware, with mitigation requiring the blocking of weaponized URLs and monitoring of the attacker’s mailbox.