Tuesday, 17 July 2012

Fake Craigslist emails / visorwordprocessor.org

These fake Craigslist emails lead to malware on visorwordprocessor.org:


Date:      Tue, 17 Jul 2012 09:01:11 -0500
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      Your Craiglist.org posting URL.

Posting ID # 27643127:

    "Double Stainless Steel Sink" (household items - by owner)

Should now be accessible at the following URL:

    http://craigslist.org/hsh/262383.html

Index pages and search results are updated every 15 minutes.

To edit or delete, please log in to your member area.

If you are having trouble finding your posting in the listings:

    http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings

For other questions or help:

    http://w= ww.craigslist.org/about/help/

Safety tips and avoiding scams:

    http://= www.craigslist.org/about/safety
    http://www.craigslist.o= rg/about/scams

Thanks for using craigslist!

==========


Date:      Tue, 17 Jul 2012 06:00:52 -0800
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      Your Craiglist posting is successful.

Posting ID # 14717917:

    "Turbo 400 Tranny" (household items - by owner)

Should now be accessible at the following URL:

    http://craigslist.org/hsh/888725.html

New postings are updated every 15 minutes.

To edit or delete, please log in to your member area.

If you are having trouble finding your item in the listings:

    http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings

For other questions or help:

    http://w= ww.craigslist.org/about/help/

Safety tips and avoiding scams:

    http://= www.craigslist.org/about/safety
    http://www.craigslist.o= rg/about/scams

Thanks for using craigslist!

==========


Date:      Tue, 17 Jul 2012 15:13:26 +0200
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      Your Craiglist posting is successful.

Posting ID # 49685217:

    "Generator" (household items - by owner)

Should now be viewable at the following URL:

    http://craigslist.org/hsh/887563.html

New postings are updated every 15 minutes.

To edit or delete, please log in to your account.

If you are experiencing problems finding your posting in the listings:

    http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings

For other questions or help:

    http://w= ww.craigslist.org/about/help/

Safety tips and avoiding scams:

    http://= www.craigslist.org/about/safety
    http://www.craigslist.o= rg/about/scams

Thanks for using craigslist!

==========


Date:      Tue, 17 Jul 2012 10:09:15 -0300
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      You can access your Craiglist listing by the new location.

Posting ID # 35649793:

    "Screwdrivers kit" (household items - by owner)

Can now be viewable at the following location:

    http://craigslist.org/hsh/284761.html

Index pages and search results are updated every 15 minutes.

To edit or delete, please log in to your account.

If you are having trouble finding your item in the listings:

    http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings

For other questions or help:

    http://w= ww.craigslist.org/about/help/

Safety tips and avoiding scams:

    http://= www.craigslist.org/about/safety
    http://www.craigslist.o= rg/about/scams

Thanks for using craigslist!

The malicious payload is at [donotclick]visorwordprocessor.org/main.php?page=ed0a25d616022c57 (report here) hosted on 91.227.18.26 (Eximus LLC, Russia). The namesevers are at good-autosport.com which links this attack in with this one earlier today.

1 comment:

Jadzaea said...

I literally just got the one about the "screwdrivers kit" minutes ago, at an e-mail address that I know isn't attached to a Craigslist account. I suspected it was bogus, but this confirms it. It's been deleted, never to be seen again. :P

Thanks for posting these--it helped me tons!