{"id":19785,"date":"2022-06-29T16:00:54","date_gmt":"2022-06-29T12:00:54","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/dhl-scam-with-qr-codes\/19785\/"},"modified":"2022-06-29T16:01:15","modified_gmt":"2022-06-29T12:01:15","slug":"dhl-scam-with-qr-codes","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/dhl-scam-with-qr-codes\/19785\/","title":{"rendered":"“Package for you. Please scan the QR code”"},"content":{"rendered":"

Online shopping is now an established part of daily life: we get food, clothes and other goods delivered to our door in a couple of clicks. Online shopaholics, of which there are many, are may sometimes forget about a parcel or miss a call from the courier. Unsurprisingly, this is exploited by attackers who use fake delivery notifications as bait.<\/p>\n

One example of this is cybercriminals pretending to be the international express courier service, DHL. However, instead of the usual phishing link, it\u2019s a QR code that\u2019s contained in the e-mail received that kicks off this kind of swindle. How and why is the topic of this post.<\/p>\n

\u201cYour package is at the post office\u201d<\/h2>\n

\nAn attack begins with an e-mail, seemingly from DHL. Although the sender\u2019s address is a random set of words bearing no resemblance to the courier service\u2019s name, the message body is quite convincing: company logo, order number (albeit fake), and supposed date of receipt of a package.<\/p>\n

The message itself (in this case in Spanish) states that an order has arrived at a local post office, but the courier was unable to deliver it in person. Usually such bait is accompanied by a link to \u201cresolve the issue,\u201d but this time there\u2019s a QR code instead.<\/p>\n

\"E-mail<\/a>

E-mail with QR code supposedly from DHL. For safety, we replaced the QR code in the screenshot with a harmless one<\/p><\/div>\n

A QR code is quite a versatile thing. It can be used, for example, to connect to Wi-Fi, pay for a purchase, or confirm you\u2019ve bought a ticket to a concert or movie. But perhaps their most common use is to distribute links offline: scanning a black-and-white square that can appear on product packaging, advertising posters, business cards, or elsewhere is a quick route to the relevant website.<\/p>\n

In this case, of course, the attackers were not thinking about user convenience. The idea seems to be that if the victim initially opens the e-mail on a computer, they\u2019ll still have to read the QR code with a smartphone, which means that the malicious site will open on the small screen of a mobile, where signs of phishing are harder to spot. Due to the space constraints in mobile browsers, URLs are not fully visible. And in Safari, the address bar was recently moved to the bottom of the screen, where many users don\u2019t even look. This plays straight into the hands of the cybercriminals because the URL of their fake site looks nothing like the official one: the word DHL doesn\u2019t even make an appearance.<\/p>\n

The website text is also small, which means that any design flaws are less noticeable. In any case, there aren\u2019t that many of them: the page welcomes users with the trademark yellow and red colors, the company name is shown below, and the text is pretty much error-free save for a couple of lowercase letters at the beginning of sentences.<\/p>\n

The victim is informed that the package will arrive within 1?2 days; to receive it, they\u2019re prompted to enter their first name, surname, and address with zip code. The delivery service does indeed request such kind of information, so no suspicions are aroused.<\/p>\n

\"Fake<\/a>

Fake DHL site asks for personal information, plus bank card details<\/p><\/div>\n

But the data harvesting doesn\u2019t end there. On the next page, the victim is asked to share more sensitive information: bank card details, including the CVV code on the back ? purportedly to pay for delivery. The attackers don\u2019t specify an amount, mentioning only that the cost depends on the region, and giving assurances that money won\u2019t be debited until the package arrives. In actual fact, the genuine DHL requires payment for delivery in advance, when the order is made. If a customer does indeed miss the courier, another delivery attempt is made for free.<\/p>\n

What do the criminals do with your payment data?<\/h2>\n

\nIt\u2019s unlikely the criminals will start charging the victim\u2019s card immediately ? so that the latter doesn\u2019t link the debits to the bogus \u201cDHL\u201d e-mail. They\u2019re more likely to sell the payment data on the dark web, and it will be the buyer there who later siphons the funds instead\u00a0? when the victim may have already forgotten about the non-existent package.<\/p>\n

How to protect yourself<\/h2>\n

\nAll the usual rules for protecting against cyberfraud apply in this case:<\/p>\n