From bicycles to couches and now malware, Craigslist has it all. Phishing emails abuse Microsoft OneDrive and alert users that their ads contain “inappropriate content.”
Phishing Emails Plaguing Craigslist
Earlier this month, attackers hacked into the website’s internal email system and sent users fraudulent messages to spread malware. The malicious emails warned them that one of their posts contained inappropriate content and violated Craigslist’s terms and conditions. It then proceeded to offer bogus instructions on how to prevent your account from being deleted.
Security firm INKY discovered that the email’s HTML was actually a customized document with a malware-download link uploaded to a Microsoft OneDrive webpage. The malicious page posed as big companies, such as DocuSign, Norton, and Microsoft. The HTML manipulation also allowed the phishing emails to circumvent standard email authentication.
“Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors,” the researchers wrote in a blog post this week.
Taking Advantage Of User Anonymity
Craigslist’s internal email system allows potential buyers and sellers to communicate anonymously. INKY’s report said that the scammers exploited the system in order to send legitimate-looking phishing emails to users who had posted ads on the website.
Potential victims’ inboxes were most likely flooding with random inquiries from the system, so the fraudulent messages blended in easily.
“Craigslist knows the identities of everyone, but unless a correspondent discloses details, they are perfectly anonymous to others on the system,” the INKY report said. “This situation suits phishers just fine. They can shoot their poisoned arrows from behind a local mail proxy. And shoot they did — a number of times in early October.”
The phishing emails impersonated Craigslist and were made to look like a notice that would let you know your ad contained inappropriate content. The message went on to threaten to delete your account unless you’d fill out a form, which you would access by a poisoned link.
Flagging ‘Inappropriate Content’
“Our platform’s content publishing policy explicitly prohibits inappropriate content, your ad has received many red flags,” the email said. “A more detailed description of the problem is available in this form. It will be available 24 hours.”
Clicking on the “form” button directed targets to a Microsoft OneDrive document, INKY explained.
“It appears as if bad actors were able to manipulate the email’s HTML to create that button and link it to OneDrive,” the researchers added. “Hovering over the link revealed a Russian domain (myjino[.]ru).”
By clicking on the URL, you’d unknowingly launch a .ZIP file download with a macro-enabled spreadsheet that delivered malware. According to INKY, to sneak past Microsoft Office security filters, the documents would ask you to “Enable Editing” or “Enable Content.”
“The spreadsheet impersonated DocuSign and also used Norton and Microsoft logos to imply that the file was safe,” according to the report. “DocuSign does not in fact have a service called ‘DocuSign Protect Service.’”
When INKY researchers tried to run the malware, they were met with a 404 error message. This could be due to the fact that the attackers already knew they got caught and took down the malware.
However, the team warned that cybercriminals might have used this campaign for a series of malicious reasons: to install a remote access tool, launch a ransomware attack, steal sensitive information, or deploy a keylogger.
INKY advised Craigslist users to be cautious of any suspicious emails.
“Another red flag is the mixing of platforms,” the analysts said. “It doesn’t make sense to resolve a Craigslist issue through a document uploaded to OneDrive.”