A new campaign to disseminate malware It is beginning to be noticed in Spain in the last hours. Through a text message, those responsible impersonate the logistics company DHL to notify of the next receipt of a shipment:
“DHL: Your package is arriving, track it here: [página web que simula ser la de la empresa de mensajería]”
As in the intense campaign that supplants Correos, under the pretext of being able to track the arrival of the package, the SMS invites us to access an address through which to download an application for Android. Is app not a parcel tracking service, but a banking trojan.
The campaign follows the same steps as the one that supplanted Correos
After using Correos theme for a month, the actors now use DHL theme too to target Spanish people:
From: https: // dhl-cdn[.]website / index / -> https: // dhl-cdn[.]website / index / DHL.apk@JosepAlbors @danlopgom pic.twitter.com/VVr4IQQZoN
– MalwareHunterTeam (@malwrhunterteam) January 22, 2021
Days ago, coinciding with the last DGT impersonation via email, Malware Hunter Team tweeted that those responsible for the campaign that supplants the Spanish public company now they intended to use the DHL name to act. To that end, they had in their possession different domains with which they were presumably going to pose as the logistics company.
The warning, launched last Friday, has not taken long to come true. How are we being able to verify in social networks, the SMS that use a practically traced strategy to the one used in the campaign that supplanted the Post Office.
If users fall into the trap by not suspecting that it may be a text message that has not actually been sent by the company in question, they will first access a website with the DHL logo that explains how to download the application – apart from the usual and recommended procedures – that will theoretically allow us to track the shipment.
The first recommendation is to be suspicious of this type of SMS, especially if we are not expecting any package. The second is to try to confirm the information by other means before doing anything. And the third, always applicable: do not install applications from outside the Google Play Store
This application, as is logical when it comes to malware, is not available on Google Play and to install it you need to download the APK provided by the fraudulent website and activate the option Unknown origins on Android, as explained in some instructions. Something not to do, of course.
If at no point in the process the security measures of the system are skipped, the result is that our terminal will be infected by a banking Trojan that, among other actions according to the analysis carried out by ESET, can intercept SMS messages such as those sent by our bank when logging into banking on-line, access our contacts or steal credentials.