UPDATED 06:00 EST / OCTOBER 26 2021

SECURITY

New phishing attack targets Craigslist users with fake violation notifications

A new form of unique phishing attack has been found that targets users on Craigslist Inc. with fraudulent violation notifications.

Detailed today by researchers at Inky Technology Corp., the new phishing attack involves attackers manipulating the Craigslist email system. The attacks were discovered earlier this month when several Inky users received real Craigslist email notifications informing them that a published ad of theirs included “inappropriate content” and violated Craigslist’s terms and conditions. The notifications gave false instructions on how to avoid having their accounts deleted.

Where the phishing attack becomes interesting is that the notifications were “real” in the sense that they really did come from a Craigslist domain, but they were fake in the sense that Craigslist itself, either its humans or its machines, did not intend to send them. The researchers noted that without verification, they can’t be sure, but it appears as if Craigslist was compromised because the recipients were not random: The victims were targeted users who had posted ads and the emails originated from Craigslist itself.

The emails, however, were not so legit. The text notes that users must edit the ad and fill out a form linked in the email through a big purple button, then send the details to Craigslist. Once users click on the button, they’re taken to a customized document uploaded to Microsoft OneDrive. 

“The phishers were able to manipulate the Craigslist email system to send a fake violation notification to that individual,” the researchers explained. “Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors.”

The button, not unsurprisingly, was not as it appeared. The researchers explained that the attackers were able to manipulate the email’s HTML to make the button appear to go to OneDrive but instead goes to a Russian domain instead.

The link immediately downloads a zip file that, when uncompressed, includes a macro-enabled spreadsheet with a malicious payload. Engaging with the spreadsheet then leads to the malware creating and modifying files along with it attempting to make external connections to download more components and exfiltrate data. 

The researchers noted that recipients should always be on the lookout for unusual requests. Red flags are violations notices that don’t correspond to user behavior and mixing of platforms; Craigslist wouldn’t use a document uploaded to OneDrive.

“Recipients should also be suspicious about the indirect way they are being asked to sign the form,” the researchers added. “Proper protocol would have the form attached directly to the email rather than requiring a trip up to OneDrive and an additional link-click there.”

Image: Dedwox/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU