Phishing attack exploits Craigslist and Microsoft OneDrive

A phishing campaign took advantage of the mail relay function on Craigslist, which allows attackers to remain anonymous, Inky says.

phishing-via-internet-vector-illustration-fishing-by-email-spoofing-vector-id665837286.jpg

Image: GrafVishenka, Getty Images/iStockPhotos

Cybercriminals will look for any weakness or limitation in an otherwise legitimate service to help them carry out an attack. That’s true of a new phishing campaign that uses both Craigslist and OneDrive to trick people into installing malware. A report published Tuesday by email security provider Inky describes how this attack tried to play out.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)  

More about cybersecurity

In October, several Inky customers received an email notification allegedly from Craigslist warning them that an ad they had posted included “inappropriate content,” thus violating Craigslist’s terms and conditions. The recipients were given instructions to prevent their accounts from being deleted.

Clicking on a button in the email was supposed to take people to a form document that had been uploaded to an actual Microsoft OneDrive site. Users were told to click on a download link to obtain the form, fill it out, and then send it to an email address of violations@craiglist.org.

craigslist-email-phishing-scam-inky.jpgcraigslist-email-phishing-scam-inky.jpg

Image: Inky

In actuality, clicking on the link downloaded a zip file that, when uncompresssed, triggered a macro-enabled Excel spreadsheet. The spreadsheet spoofed DocuSign and used Norton and Microsoft logos to suggest that the file was safe. Anyone who clicked on the commands for Enable Editing and Enable Content bypassed Microsoft Office security and allowed the macros to be executed.

Triggering the macros in a sandbox environment, Inky found that certain files were created, while others were modified. The malware also tried to connect to other websites to download more components or exfiltrate data. However, these attempts failed, either because the attackers made mistakes in their code or the malicious content had already been discovered and removed.

Had the malware infection been successful, the attackers would have been able to install a remote access tool, install a keylogger, steal saved login credentials from a browser, launch a Trojan to compromise an email account, or even conduct a ransomware attack.

SEE: Warning: 1 in 3 employees are likely to fall for a phishing scam (TechRepublic)

To pull off this scam, the attackers employed a few different tactics.

The emails were sent to active Craigslist users rather than just random people. The phishing messages themselves came from a Craigslist domain and an authentic Craigslist IP address. As they seemed to be legitimate, the messages were able to sneak past the standard email security protocols. Since Craigslist didn’t intend to send these emails, Inky believes the site may have been compromised, especially since the users were specifically targeted.

The criminals behind this scam also abused a Craigslist function known as mail relay. To help its users easily buy and sell items, Craigslist lets them exchange emails with each other. But instead of seeing the sender’s actual email address, the recipient sees a long hex string with the craigslist.org domain. That process keeps the email addresses of legitimate users private but also gives hackers a means to remain anonymous.

Further, the attackers used a legitimate Microsoft OneDrive site, impersonated DocuSign to give the operation an air of authenticity and flashed Norton and Microsoft logos to lend additional credibility to the message and the resulting form.

To protect yourself and your organization from an attack like this, Inky offers a few tips:

  • Watch out for unusual requests. In this instance, your Spidey sense should start tingling if you receive a violation notice that doesn’t correspond to any activity you’ve performed on the site in question.
  • Be wary of the mixing of platforms. In the campaign described by Inky, it makes no sense that a Craigslist problem would be resolved through a document uploaded to OneDrive.
  • Look out for signs of indirect ways to resolve an issue. In this case, you should be suspicious about the indirect way you’re asked to access and fill out a form. With a legitimate email, the form would be attached to the message rather than require you connect to OneDrive.

Also see