Sponsored by..

Showing posts with label Craigslist. Show all posts
Showing posts with label Craigslist. Show all posts

Wednesday 6 June 2012

Fake Craiglist emails / paranoiknepjet.ru

Here are two examples of fake Craiglist emails leading to malware on paranoiknepjet.ru. If you have any other samples, then please consider sharing them in the Comments..

From: craigslist - automated message, do not reply
Sent: 06 June 2012 14:32
Subject: POST/EDIT/DELETE : "Film maker & Actor/Actress" (crew)

IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:
•    PUBLISH YOUR AD
•    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
•    VERIFY YOUR EMAIL ADDRESS
•    DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

========================

From: craigslist - automated message, do not reply
Sent: Tue 05/06/2012 21:43
Subject: POST/EDIT/DELETE : "Real professional tattoo work" (cycle)

IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:
•    PUBLISH YOUR AD
•    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
•    VERIFY YOUR EMAIL ADDRESS
•    DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The link in the email leads to a malicious payload at [donotclick]http://paranoiknepjet.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on some IP addresses we have already seen.

50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106


I can identify the following domains on those IPs, all of which can be considered to be malicious:

girlsnotcryz.ru
holigaansongeer.ru
immerialtv.ru
insomniacporeed.ru
mazdaforumi.ru
norilsknikeli.ru
opimmerialtv.ru
piloramamoskow.ru
spbfotomontag.ru
uzindexation.ru


Added:another one..
Date:      Wed, 6 Jun 2012 02:48:02 +0000
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      POST/EDIT/DELETE : "we have moving supplies "check us out"" (sublets / temporary)

IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!  

Tuesday 13 July 2010

"Your craiglist account requires attention!!"

A fairly obvious phish:

From: noreply@craigslists.org
Date: 13 July 2010 08:29
Subject: Your craiglist account requires attention!!
   
Please follow the link bellow to avoid expiration of your Account https://www.craigslist.org/account/update

Thank you for using our services
The link in the email actually goes through your.totalinternethost.com/bb.html before bouncing to accounts.craiglist.org.postifedelta.com/icons/crg/ - I'm guessing that the domains are legitimate but their domain admin account has been hacked.

The mail itself is "from" craigslists.org (i.e. more than one list) rather than craigslist.org which is a clue, and also the subject is mis-spelled as craiglist .. usually signs that something it going wrong (and a couple of things that you could block if you roll your own mail filters).

If you click through, then you get a convincing looking login page which is an exact copy of the real thing:

This is the fake one (click to enlarge):


Fill in the login details, and the fake page harvests them and sends you on to the REAL page (pictured below) which looks identical. Presumably, victims are meant to think that their login has failed in some way.

The catch? Both the real and fake pages have an identical warning:

WARNING:  scammers may try to steal your account by sending an official-looking email with a link to a fake craigslist login page that looks like this page, hoping you'll type in your username and password.

example of valid craigslist address Look carefully at the web address near the top of your browser to make sure you are on the real craigslist login page, https://accounts.craigslist.org

The safest way to login is go to the craigslist homepage directly by typing in the web address, and then clicking on the 'my account' link.
Both fake and real pages even have a picture to show you what to look for:

On the fake page, the URL in the browser bar clearly does not match the one on the page. But how many people actually read it? Any sysadmin will tell you that there's a hard core of users who don't read or unstand warnings, and obviously there are enough of them to make this scam worthwhile.

Just for the record, these are the IPs in this particular phish:
accounts.craiglist.org.postifedelta.com 
116.12.52.25
Usonyx, Singapore

your.totalinternethost.com
64.191.40.21
Burstnet, Scranton