Do you own a Craigslist account? Be warned, its internal email system was recently hijacked by a scammer. Cybercriminals are sending out Craigslist malware to registered users.
Craigslist users should be careful about the "authentic emails" from the website. Although it contains a valid Craigslist IP address, it might also include malicious malware that could harm the device.
According to ThreatPost, the company was hijacked by attackers this month. Cybercriminals abused the internal email system, posed as the company, and sent out emails about their accounts being deleted.
Following the instructions to "save" the account will download the malware.
Craigslist Phishing Email and Malicious Malware
Researchers from security firm INKY first discovered this malware. They said the malware was cleverly hidden on a customized document uploaded in Microsoft OneDrive. Since the URL got linked to Microsoft OneDrive, it bypassed the threat intelligence feed and even slipped past most security vendors.
A screenshot of the Craigslist notification was included in the report. The phishing email wrote, "Our platform's content publishing policy explicitly prohibits inappropriate content, your ad has received many red flags. Immediate editing and filling on the D7.b form is needed... In case of your inactivity, the account will be deleted and all further attempts to register new accounts will be rejected."
Admittedly, cybercriminals made the email look very convincing. The threat of account termination and a permanent ban could scare a lot of active users. However, users should firmly ignore this email.
Craigslist Malware Revealed
According to INKY, there are a few signs of the malware scheme. Hovering the mouse over the link will reveal a Russian domain "myjino.ru."
Also, note that clicking on the link will initiate a .ZIP file download of a macro-enabled spreadsheet. Users who click the "Enable Editing" or "Enable Content" options will allow the malware to bypass Microsoft Office security controls and control the macros.
The corrupted spreadsheet called DocuSign also impersonated brands like Norton and Microsoft to make its file a lot more convincing.
Fortunately, when the INKY team tried to get the malware, it led to a 404 error message. INKY speculated that it could have been the mistake of the attackers or an indication that a security firm had already found it and tore it down.
Nonetheless, INKY warned about the vicious nature of this Craigslist-hosted attack. This method could also install a remote access tool (RAT), implement a first-stage implant like TrickBot, launch ransomware attacks, exfiltrate sensitive data or deploy a keylogger.
Users should be wary about these kinds of attacks, even in the future. Cybercriminals are getting a lot more creative with their hacking strategies, which makes detecting them extremely difficult. Users can help improve their security by following a few steps.
This article has some suggestions for improving account security, which even helped users who were exposed in the Twitch Data Breach 2021.
Related Article: How Much Did It Cost Apple to Build iPhone 13? Pro Max OLED Display Costs $105 Alone!