DHL scam emails distributing virus files [upd. February 2023]

A massive wave of spam impersonating DHL Express has been depositing offending code onto recipients’ computers, so be careful with these fake emails.

Popular international shipping services have been consistently luring online crooks as a domain for exploitation because of large customer base and the present-day emphasis on online methods of client interaction. No wonder such a giant of parcel delivery as DHL Express got into the spotlight of bad guys. In a recent spam campaign, a group of cybercriminals has been forging standard DHL notifications in a bid to get users infected with malware. The majority of these rogue messages are currently circulating in Germany and the Netherlands, although people in other states have been reportedly affected as well. The idea is to misinform users about the status of inexistent delivery, which is the hook that may be of interest to many recipients.

I found this example here of the DHL Express email scam:

It says:

“DHL EXPRESS
Dear customer.
We are sorry to inform you that the package you received on October 16th, 2022 will be returned.
We could not deliver your package due to an incorrect delivery address.
You have extended your delivery address within 24 hours. Click the “Compensation” button below and fill out the form to submit a new delivery request.
-This is how it works:
Check your billing information and credit card information.”

And then it shows a button here that says: “Follow my package”. And I’m sure that means to say like: “Track my package”, but whoever put together the scam maybe doesn’t know English as well as they thought they did. And they did a translation. They chose “Follow” instead of “Track”.

The screenshot above shows that the DHLPostService display name for the email address was hiding the email address fishy@warm-waters.net, which clearly is not a DHL or DHL Express email address and is instead a scam.

On the DHL website, I found the following tips to help avoid email phishing scams:

Basically, don’t click on any suspicious links for companies that ship packages. If you aren’t expecting a package, if you are expecting a package, still don’t click on suspicious links and instead find a legitimate phone number or email address outside of the scam email or scam text that goes to the package delivery company that you’re trying to reach and ask them about your package there. In particular, victims run the risk of clicking on an embedded link that allegedly resolves the DHL tracking page or the confirmation of the parcel sending transaction. This is the worst possible thing to do, though. The URL actually downloads a booby-trapped ZIP archive. This archive contains a file with the .js extension, which denotes the JavaScript format. These types of objects have gained notoriety for distributing malicious software, because they can covertly download additional components onto a target computer once executed. For instance, the infection can be the JS/Nemucod virus, which will promote file-encrypting ransomware.

Given these facts, when an email from DHL Express is received, be sure to treat it with a reasonable degree of paranoia. Scrutinize the details of the notification and think twice before clicking any links in it. In case the malicious item is already inside, follow the instructions below to identify the threat and eradicate it from the machine.

Scan your PC for DHL email scam related viruses

The links in rogue DHL emails may point to drive-by downloads and exploit kits. To ascertain that no malware ended up inside your computer this way, consider checking it for all types of infections. The recommended software can quickly locate threats, eradicate them and remediate all harmful changes. So go ahead and do the following:

1. Download and install the antimalware tool. Open the solution and have it check your PC for PUPs and other types of malicious software by clicking the Start Scan button

Download DHL Express scam virus remover

2. Rest assured the scan report will list all items that may harm your operating system. Select the detected entries and click Resolve found threats to get the troubleshooting completed.