This is a DHL impersonation phishing page.

It is also a good reminder that a phishing page does not need to look amazing to work. It just needs to feel familiar for a minute or two.

The URL is:

https://uzertaw[.]store/account/up/account/d/d

On April 4, 2026, the live URL redirected from that path to a trailing-slash version, then to check.php, and then to details.php?lang=. The page shell, colors, footer, and logo all try to pass as DHL. The same template also responds to details.php?lang=en, which makes the form labels readable and shows what the attacker is actually after.

https://uzertaw[.]store/account/up/account/d/d
Captured DHL-themed phishing page on uzertaw.store

Screenshot of the DHL-themed phishing page. The attacker uses a DHL-branded shell and a centered modal to make the form feel like a normal delivery or billing step.

The first problem is simple: this is not a DHL domain

The page uses DHL branding, DHL colors, DHL footer links, and a DHL-style layout. But the host is uzertaw[.]store.

That alone should stop the review.

Real DHL pages should live on DHL-controlled domains, not on a random .store host with no obvious connection to the company. The .store TLD is not the issue by itself. The mismatch is.

The path and redirect chain are doing social-engineering work too

The path is:

/account/up/account/d/d

It looks messy, but that is part of the trick. To a normal user, it can pass as some internal account flow or one of those ugly delivery-portal URLs nobody enjoys reading.

Then the page redirects through:

  • .../account/up/account/d/d
  • .../account/up/account/d/d/
  • .../check.php
  • .../details.php?lang=

None of that makes it legitimate, obviously. But it does make the flow feel routine. "Check" and "details" sound boring. Boring is good for scammers. A rushed user starts thinking they are just fixing a delivery problem.

The form is designed to feel administrative

With lang=en, the page shows a form labeled Step 1 and Billing information. The fields include:

  • First name
  • Last name
  • Date of birth (DD/MM/YYYY)
  • Phone number
  • Address
  • City
  • Zip code

That is one of the more effective choices in this kit. It does not open with a password box. It starts with personal details that feel bureaucratic, annoying, and still plausible in the context of a shipping problem.

That is how a lot of these scams work. They do not open with the scariest ask. They start with something a rushed user can talk themselves into:

"Maybe they need my address again."

"Maybe there is a customs issue."

"Maybe this is some billing verification step."

The form posts to a local handler on the same phishing host:

./Asstes/php/config/func.php

So this is not a DHL workflow at all. The data is being collected directly by the attacker-controlled site.

"Step 1" is one of the biggest manipulation cues on the page

Calling it Step 1 is smart social engineering.

Multi-step flows are normal for shipping, billing, and identity checks. So the label helps the page feel legitimate before the user slows down long enough to check the domain.

It also builds momentum. Once someone starts typing and clicks continue, the next ask feels easier to accept. That is a very common phishing pattern: get a little compliance first, then ask for more.

The layout is built to keep the user focused on the form

The captured page uses a dimmed background, a centered white modal, and a large red continue button. The bundled stylesheet confirms that the form is presented in a full-screen overlay through .wrapper_details.

That kind of layout works because it narrows attention. The user looks at the form, not the domain, not the broken footer markup, and not the bigger question of why a shipping company wants their date of birth.

It does not need to be beautiful. It just needs to keep the person moving.

The kit looks built for more than just one form

A few parts of this are directly visible:

  • the page is branded as DHL
  • the readable lang=en version shows a Step 1 billing-information form
  • the form posts to a local PHP endpoint on the phishing domain

Other parts are inferred from the bundled stylesheet and page assets:

  • a card-related stage in .wrapper_card
  • an email stage in .wrapper_em
  • an additional app or verification step in .wrapper_app
  • a fake success screen in .wrapper_success

There are also card-oriented class names like type_payme, infos_pysss, and ver, plus success-state styling with progress and confirmation UI.

That does not prove every victim sees every step, but it strongly suggests a multi-step harvest kit. The likely flow is personal details first, then payment details, then maybe some kind of email or app verification, and finally a fake success screen.

The page is sloppy, and that matters

There are several obvious mistakes in the source:

  • Asstes is misspelled in asset paths
  • the meta tag uses discription
  • the footer includes broken markup like DHL for Business/li

Those are useful clues for defenders because they point to a cloned or rushed template. But they are also a reminder that phishing pages do not need to be perfect. A distracted user on a phone, especially one already worried about a package, may not notice any of it.

That is the bigger point. The scam is not leaning on craftsmanship. It is leaning on familiar branding, low-grade urgency, and the fact that delivery problems already feel believable.

Why users get tricked by pages like this

People are used to shipping delays, address checks, customs fees, and vague billing issues. They are also used to ugly web portals.

So a page like this does not need to sell some wild story. It just needs to look close enough to a normal inconvenience.

That is why delivery-brand phishing keeps working. It fits inside a problem users already think could happen.

Final takeaway

This URL has several strong phishing signals all at once:

  • a non-DHL domain using DHL branding
  • a path and redirect chain that make the flow feel procedural
  • a fake Step 1 billing form collecting personal information
  • a local form handler on the phishing host
  • strong signs of a multi-step kit designed to move from personal data into payment and verification capture

This is exactly the kind of page LinkShield is built to catch. If you want to inspect suspicious URLs, follow the redirect chain, and review pages like this before someone clicks too far, sign up for LinkShield.