DPD Phishing Kit 1550321

Detects a DPD phishing kit using the same fake parcel ID to lure victims in, additionally reuses the same file names and paths for various kit assets.

References

Recent Detections

hxxps://verify-bill[.]link/

urlscan.io
hxxp://dpd[.]uk-orders[.]info/

urlscan.io
hxxp://s[.]id/1tjfy

urlscan.io
hxxp://dpd[.]view-orders[.]link/

urlscan.io
hxxp://deiiverytrack[.]link/

urlscan.io
hxxp://dpd[.]item-order[.]link/

urlscan.io
hxxp://myorders[.]hopp[.]to/78922

urlscan.io
hxxp://dpd[.]trackorder[.]link/

urlscan.io
hxxp://dpd[.]order-id[.]link/

urlscan.io
hxxp://dpd[.]tracking-parcels[.]link/

urlscan.io

IOK Rule (edit)

title: DPD Phishing Kit 1550321
description: |
    Detects a DPD phishing kit using the same fake parcel ID
    to lure victims in, additionally reuses the same file names
    and paths for various kit assets.
    
references:
    - https://urlscan.io/result/af837161-2414-49fd-983b-e9dda042f2a5
    - https://urlscan.io/result/7d7c846c-afa3-4a7e-b1da-4df34e64c71c
    - https://urlscan.io/result/46c15b10-755a-4c00-8da3-60fe1dbcc126
    - https://urlscan.io/result/99908906-522d-4450-9d62-04348fb88432

detection:

    fakeParcelID:
      html|contains: 'Parcel details (15503215866135)'

    siteStyleSheet:
      requests|contains: 'parse/real.css?'

    logoAsset:
      requests|contains: 'dpd_group_82x22.png'
    

    condition: fakeParcelID and siteStyleSheet and logoAsset

tags:
  - target.dpd