Hackers May Have Compromised Craigslist's Email System, Watch Out For Phishing Scams
One feature on Craigslist is the ability to send a message through its mailing system without revealing your identity to the recipient. INKY, a cloud-based security platform, recently uncovered a phishing email campaign in which hackers sent emails to Craiglist users. Several users reported receiving an email earlier this month stating that one of their published ads contained “inappropriate content” and therefore violated Craigslist’s terms and conditions.
Users were instructed to click on a big, purple button labeled “form for filling and signing” to rectify the issue. Hackers linked the button to a OneDrive document that featured a downloadable link. Users were then told to download a link, fill out a form, and email it to “firstname.lastname@example.org.” The provided link did not lead to a legal form provided legitimately by Craigslist. The link instead prompted a .ZIP file download. INKY noted that, “Uncompressing the file revealed a macro-enabled spreadsheet named ‘form_1484004552-10012021.xls’, a document that had already been flagged by security vendors.” Users who clicked on “Enable Editing” and “Enable Content” when prompted unintentionally welcomed the malware into their system.
INKY confirmed that there was “malicious activity in a malware sandbox." However, the firm also noted the malware failed when it attempted to make external connections. INKY believes that this failure was due to an oversight on the part of the hackers. It is also possible that the external malicious content has been uncovered and removed by the hosts.
This phishing campaign was especially confusing for a few reasons. First, the hackers attempted to legitimize their files by incorporating the logos of DocuSign, Norton, and Microsoft. Second, the phishing email was legitimately from a Craigslist email. The hackers abused Craigslist's existing system.
It is important to note Craigslist has not confirmed whether or not this phishing campaign occurred. The information provided above is therefore largely from INKY and independent reports. The report is nevertheless concerning and is a reminder for users to keep an eye out for malicious actors.