© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Malicious hackers exploit Craigslist to spread malware


Craigslist, that old-fashioned website people still use to find things locally — and urgently — has become the latest phishing vector, a new research suggests.

Mail protection company INKY discovered a new phishing campaign in which threat actors manipulate Craigslist email system to send fraudulent violation notifications, spreading malware hosted on an abused OneDrive page that impersonates major brands like DocuSign, Norton, and Microsoft.

In early October, several INKY users received real Craigslist email notifications informing them that a published ad of theirs included “inappropriate content” and violated Craigslist’s terms and conditions. The notifications gave false instructions on how to avoid having their accounts deleted.

However, if a recipient tried to rectify this supposed problem by clicking on the big purple button, they were taken to a customized document uploaded to Microsoft OneDrive. It appears as if bad actors were able to manipulate the email’s HTML to create that button and link it to OneDrive. Recipients were then instructed to use the “Download” link on OneDrive to fill out the form and return it to [email protected]

Clicking on the link automatically downloaded a zip file, and uncompressing the file revealed a macro-enabled spreadsheet.

The spreadsheet impersonated DocuSign and also used Norton and Microsoft logos to imply that the file was safe. Users who clicked on “Enable Editing” and “Enable Content” bypassed Microsoft Office security controls and allowed the macros to be executed.

INKY researchers confirmed malicious activity in a malware sandbox. Files were created and modified. The malware also attempted to make external connections to download more components or exfiltrate data, but received a “404 not found” error.

The error was likely due to a mistake on the part of the bad actors, or it's possible that the malicious content was discovered on those hosts and had already been taken down.

If this attack had been successful, some of the possible outcomes could have been:

* The installation of a remote access tool; A full-blown ransomware attack;

* The launching of Emotet to compromise an email account and use it to spam other recipients;

* The exfiltration of saved login credentials from a browser; or

* The installation of a keylogger.

Be suspicious

Recipients should be on the lookout for unusual requests. A red flag ought to go up right away if a violation notice comes in that doesn’t correspond to any recipient behavior on the platform in question.

Another red flag is the mixing of platforms. It doesn’t make sense to resolve a Craigslist issue through a document uploaded to OneDrive.

Recipients should also be suspicious about the indirect way they are being asked to sign the form. Proper protocol would have the form attached directly to the email rather than requiring a trip up to OneDrive and an additional link-click there.


More from CyberNews:

New Report Shows That Denial-Of-Service Remains The Most Common Cyberattack

Agency behind SolarWinds hack targeting hundreds of US networks - Microsoft

LockBit 2.0 listed a whopping 203 victims on its data-leak site

Internet outage in South Korea over a large DDoS attack

Government-led 'hunt' behind REvil's second shutdown

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked