A new form of unique phishing attack has been found that targets users on Craigslist Inc. with fraudulent violation notifications.

Detailed today by researchers at Inky Technology Corp., the new phishing attack involves attackers manipulating the Craigslist email system. The attacks were discovered earlier this month when several Inky users received real Craigslist email notifications informing them that a published ad of theirs included “inappropriate content” and violated Craigslist’s terms and conditions. The notifications gave false instructions on how to avoid having their accounts deleted.

Where the phishing attack becomes interesting is that the notifications were “real” in the sense that they really did come from a Craigslist domain, but they were fake in the sense that Craigslist itself, either its humans or its machines, did not intend to send them. The researchers noted that without verification, they can’t be sure, but it appears as if Craigslist was compromised because the recipients were not random: The victims were targeted users who had posted ads and the emails originated from Craigslist itself.

The emails, however, were not so legit. The text notes that users must edit the ad and fill out a form linked in the email through a big purple button, then send the details to Craigslist. Once users click on the button, they’re taken to a customized document uploaded to Microsoft OneDrive. 

“The phishers were able to manipulate the Craigslist email system to send a fake violation notification to that individual,” the researchers explained. “Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors.”

The button, not unsurprisingly, was not as it appeared. The researchers explained that the attackers were able to manipulate the email’s HTML to make the button appear to go to OneDrive but instead goes to a Russian domain instead.

The link immediately downloads a zip file that, when uncompressed, includes a macro-enabled spreadsheet with a malicious payload. Engaging with the spreadsheet then leads to the malware creating and modifying files along with it attempting to make external connections to download more components and exfiltrate data. 

The researchers noted that recipients should always be on the lookout for unusual requests. Red flags are violations notices that don’t correspond to user behavior and mixing of platforms; Craigslist wouldn’t use a document uploaded to OneDrive.

“Recipients should also be suspicious about the indirect way they are being asked to sign the form,” the researchers added. “Proper protocol would have the form attached directly to the email rather than requiring a trip up to OneDrive and an additional link-click there.”

Image: Dedwox/Wikimedia Commons