Sponsored by..

Tuesday 13 July 2010

"Your craiglist account requires attention!!"

A fairly obvious phish:

From: noreply@craigslists.org
Date: 13 July 2010 08:29
Subject: Your craiglist account requires attention!!
   
Please follow the link bellow to avoid expiration of your Account https://www.craigslist.org/account/update

Thank you for using our services
The link in the email actually goes through your.totalinternethost.com/bb.html before bouncing to accounts.craiglist.org.postifedelta.com/icons/crg/ - I'm guessing that the domains are legitimate but their domain admin account has been hacked.

The mail itself is "from" craigslists.org (i.e. more than one list) rather than craigslist.org which is a clue, and also the subject is mis-spelled as craiglist .. usually signs that something it going wrong (and a couple of things that you could block if you roll your own mail filters).

If you click through, then you get a convincing looking login page which is an exact copy of the real thing:

This is the fake one (click to enlarge):


Fill in the login details, and the fake page harvests them and sends you on to the REAL page (pictured below) which looks identical. Presumably, victims are meant to think that their login has failed in some way.

The catch? Both the real and fake pages have an identical warning:

WARNING:  scammers may try to steal your account by sending an official-looking email with a link to a fake craigslist login page that looks like this page, hoping you'll type in your username and password.

example of valid craigslist address Look carefully at the web address near the top of your browser to make sure you are on the real craigslist login page, https://accounts.craigslist.org

The safest way to login is go to the craigslist homepage directly by typing in the web address, and then clicking on the 'my account' link.
Both fake and real pages even have a picture to show you what to look for:

On the fake page, the URL in the browser bar clearly does not match the one on the page. But how many people actually read it? Any sysadmin will tell you that there's a hard core of users who don't read or unstand warnings, and obviously there are enough of them to make this scam worthwhile.

Just for the record, these are the IPs in this particular phish:
accounts.craiglist.org.postifedelta.com 
116.12.52.25
Usonyx, Singapore

your.totalinternethost.com
64.191.40.21
Burstnet, Scranton

No comments: