Your DHL parcel as a door opener for fraud attempts: About crypto-stealers, keyloggers and document uploaders


Reading time: minutes ( words)

How does the DHL malspam campaign work?

In the DHL malspam campaign, cybercriminals send messages to their victims by email or SMS informing them about a DHL parcel supposedly waiting at the post office or a failed delivery attempt. The message further states that quick action is required, otherwise no parcel delivery will be possible and the shipment will be returned to the sender. To prevent this, the message asks the recipient to provide information in a document to enable delivery. This document is either available as an attachment in the email or the SMS links to a website. Anyone who downloads and opens the file or visits the website behind the link downloads a crypto-stealer that installs itself on the system.

Why do so many consumers fall for fake DHL notifications?

There are two main reasons why many consumers fall for the cybercriminals' scam. The first is trust in a brand like DHL. This is also due to the fact that there are indeed genuine notifications from the logistics company via SMS or email. Since it is now part of everyday life for most people to receive a parcel via DHL, such messages are also not unusual. Even those who are not expecting a parcel may be curious and want to know what kind of parcel is supposedly waiting for them.

On the other hand, the cybercriminals in the DHL malspam campaign always pretend that quick action is required. For example, the messages indicate that the parcel will be returned to the sender in the next two days if there is no reaction. Some consumers allow themselves to be pressured by such a message and follow the instructions in the mail for fear of losing a parcel.

One trick of the criminals (which also gives an important clue that the message is fake) is that no consignment number is given with the messages. In this way, it is not possible for the recipient to trace which parcel it supposedly is. Tracking via the real DHL website is also not possible. This tempts the recipient of the message to follow the link in the mail or SMS. The fake DHL notifications also look deceptively real. The criminals use the original logo of the logistics company DHL in the mails. At first glance, the message thus appears authentic and trustworthy.

How can consumers recognise fake DHL notifications?

First and foremost, it is important that consumers are suspicious of any notification. For example, if you are not expecting a parcel, you will not receive an email from DHL. Unfortunately, many consumers act impulsively and curiosity prevails in such situations. That is why many recipients open messages from cybercriminals and want to find out what the mail or SMS is all about.

With e-mails, it is comparatively easy to check the origin. However, it is important to know how to check this. Most e-mail providers do not show a mail address as the sender in the overview, but a description. Cybercriminals like to use trustworthy descriptions in their e-mails, such as "DHL Service" or simply "DHL". However, this description is easy to edit and does not allow any conclusions to be drawn about the actual sender. However, if you move the mouse over the description, the actual sender is displayed. Then, the alleged DHL message is revealed to be a mail from a foreign address with no connection to DHL.

In the case of a text message, it is initially more difficult to get any clues about the sender. A sure sign of a fraud attempt, however, are telephone numbers from abroad. These can be identified by the area code. In addition, fake DHL notifications lack a reference to a specific parcel number. Instead, a link is placed in the message that leads the recipient to a dubious website. The fraudsters also like to use URL shortening services such as to disguise the actual address. DHL does not use such services and always links directly to its own website.

What malware is hidden in the fake DHL notifications?

The cybercriminals have placed a crypto-stealer in the fake DHL notifications. This is no stranger to IT security experts and has the name "BluStealer". The crypto-stealer combines several functions and is therefore particularly dangerous. First, the malware steals contact addresses and telephone numbers from the address book of the infected system. The crypto-stealer automatically sends itself to these addresses and also uses the fake DHL notifications as message content.

The crypto-stealer is then able to steal login information from the infected systems. The malware then sends this to the cybercriminals, who thus take control of the so-called digital wallet. A digital wallet is the wallet of cryptocurrencies that various providers make available on the internet. It is confirmed that the crypto-stealer steals the login data of numerous wallet providers. Among others, ArmoryDB, Bytecoin, Jaxx Liberty, Exodus, Electrum, Atomic, Guarda or Coinomi are affected.

Likewise, the DHL malspam campaign is not limited to a specific cryptocurrency. The focus is, of course, on Bitcoin due to its high value. However, the crypto-stealer also has Ethereum, Monero and Litecoin in its sights.

A clever function of BluStealer is to replace crypto addresses in the clipboard with the address of the criminal's wallet. Those who initiate a payment with Bitcoin or another cryptocurrency usually use the copy function of the operating system to do so. This is due to the length and complexity of these addresses. Most such crypto addresses consist of 26 to 35 alphanumeric characters. From this typical length and composition, the crypto-stealer recognises that it is a crypto-address. Unless the user is then extremely vigilant and notices that the address has changed during copying, he initiates and confirms a crypto payment to the criminals. Such payments cannot be reversed with cryptocurrencies.

What is the scope of the DHL malspam campaign and who is affected?

Since the crypto-stealer has the ability to send itself, the spread of the malware is increasing rapidly. Thus, the cybercriminals are constantly gaining new telephone numbers and contact addresses. Particularly affected by the DHL Malspam campaign are the USA, Argentina and Turkey, as well as Italy, Greece, the UK and Spain in Europe. However, numerous consumers in Germany and France have also come forward and report receiving fake DHL notifications.

The crypto-stealer is causing considerable damage. By the beginning of November, 4.0496 Bitcoins had been received on one of the Bitcoin addresses that can be clearly attributed to the organisers behind the DHL malspam campaign. At a rate of around 53,000 euros per Bitcoin, the criminals have thus captured at least 214,000 euros. The number of unreported cases is probably even higher, because the crypto-stealer also sends the cryptocurrencies to other wallets.

What measures offer protection against crypto-stealers?

There are various methods to protect against such attacks as in the current DHL malspam campaign. In this particular case, where cryptocurrencies and the digital wallets are the target, a hardware wallet helps to prevent the theft. Here, the cybercriminals do not have the opportunity to take control of the device and the cryptocurrencies stored on it. At the same time, the system used to open the email or SMS is still infected, which enables other fraud activities.

The most important protective measure is therefore to exercise maximum distrust and caution with all incoming messages. Every message should first be treated as untrustworthy. Links in messages are fundamentally dangerous, especially if it cannot be determined with absolute certainty which page they lead to. Clicking on such links to test them is highly dangerous and in many cases already leads to the infection of one's own system. Therefore, links in dubious messages as well as file attachments should always be ignored.

If you want to check the status of a shipment, you can do so directly via the DHL website. This can also be found without a link in a message. Shipment tracking is possible, for example, via If a specific shipment number is missing from the text message or email, the message is certainly not from DHL. The logistics company always adds the corresponding consignment number to the parcel notifications. This is what makes tracking possible in the first place. It is also important to keep your operating system up to date. Security updates for the operating system and the browser must be installed immediately. This also applies to the smartphone, which is also vulnerable to fake DHL notifications and malware. The use of a virus protection programme is also mandatory. If you don't want to spend money on such software, you can find good free alternatives from many providers.


In essence, the cybercriminals' approach to the current DHL malspam campaign is old hat. For some time now, attackers have been using fake messages to try to tempt the recipient into interacting with an infected document or a compromised website under time pressure. However, it is becoming apparent that the attackers are becoming increasingly savvy and perfecting their attack techniques.

The times when fake messages were immediately recognisable due to many spelling mistakes and false logos are over. The fake DHL notifications look visually authentic, which makes them all the more dangerous. The malware that the attackers have integrated into the DHL malspam campaign is also dangerous. The crypto-stealer focuses on Bitcoin and other digital currencies. Here, the cybercriminals take advantage of the growing popularity of cryptocurrencies. More and more people are investing in and using Bitcoin without knowing exactly about the peculiarities of cryptocurrencies. At the same time, the value of Bitcoin is almost at an all-time high. This makes the digital currency particularly worthwhile for attackers.

Investigating authorities are usually powerless in cases of fraud with cryptocurrencies, because the system is completely anonymous. Even confirmed transactions cannot be reversed. This is what makes the DHL malspam campaign so dangerous.

How do you protect your company from malspam campaigns? Contact us!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by Allgeier secion, Zweigniederlassung der Allgeier CyRis GmbH.

* Mandatory field

Go back