Craigslist, that old-fashioned website people still use to find things locally — and urgently — has become the latest phishing vector, a new research suggests.
Mail protection company INKY discovered a new phishing campaign in which threat actors manipulate Craigslist email system to send fraudulent violation notifications, spreading malware hosted on an abused OneDrive page that impersonates major brands like DocuSign, Norton, and Microsoft.
In early October, several INKY users received real Craigslist email notifications informing them that a published ad of theirs included “inappropriate content” and violated Craigslist’s terms and conditions. The notifications gave false instructions on how to avoid having their accounts deleted.
However, if a recipient tried to rectify this supposed problem by clicking on the big purple button, they were taken to a customized document uploaded to Microsoft OneDrive. It appears as if bad actors were able to manipulate the email’s HTML to create that button and link it to OneDrive. Recipients were then instructed to use the “Download” link on OneDrive to fill out the form and return it to [email protected]
Clicking on the link automatically downloaded a zip file, and uncompressing the file revealed a macro-enabled spreadsheet.
The spreadsheet impersonated DocuSign and also used Norton and Microsoft logos to imply that the file was safe. Users who clicked on “Enable Editing” and “Enable Content” bypassed Microsoft Office security controls and allowed the macros to be executed.
INKY researchers confirmed malicious activity in a malware sandbox. Files were created and modified. The malware also attempted to make external connections to download more components or exfiltrate data, but received a “404 not found” error.
The error was likely due to a mistake on the part of the bad actors, or it's possible that the malicious content was discovered on those hosts and had already been taken down.
If this attack had been successful, some of the possible outcomes could have been:
* The installation of a remote access tool; A full-blown ransomware attack;
* The launching of Emotet to compromise an email account and use it to spam other recipients;
* The exfiltration of saved login credentials from a browser; or
* The installation of a keylogger.
Recipients should be on the lookout for unusual requests. A red flag ought to go up right away if a violation notice comes in that doesn’t correspond to any recipient behavior on the platform in question.
Another red flag is the mixing of platforms. It doesn’t make sense to resolve a Craigslist issue through a document uploaded to OneDrive.
Recipients should also be suspicious about the indirect way they are being asked to sign the form. Proper protocol would have the form attached directly to the email rather than requiring a trip up to OneDrive and an additional link-click there.
More from CyberNews:
Subscribe to our newsletter