From: noreply@craigslists.orgThe link in the email actually goes through your.totalinternethost.com/bb.html before bouncing to accounts.craiglist.org.postifedelta.com/icons/crg/ - I'm guessing that the domains are legitimate but their domain admin account has been hacked.
Date: 13 July 2010 08:29
Subject: Your craiglist account requires attention!!
Please follow the link bellow to avoid expiration of your Account https://www.craigslist.org/account/update
Thank you for using our services
The mail itself is "from" craigslists.org (i.e. more than one list) rather than craigslist.org which is a clue, and also the subject is mis-spelled as craiglist .. usually signs that something it going wrong (and a couple of things that you could block if you roll your own mail filters).
If you click through, then you get a convincing looking login page which is an exact copy of the real thing:
This is the fake one (click to enlarge):
Fill in the login details, and the fake page harvests them and sends you on to the REAL page (pictured below) which looks identical. Presumably, victims are meant to think that their login has failed in some way.
The catch? Both the real and fake pages have an identical warning:
WARNING: scammers may try to steal your account by sending an official-looking email with a link to a fake craigslist login page that looks like this page, hoping you'll type in your username and password.Both fake and real pages even have a picture to show you what to look for:
example of valid craigslist address Look carefully at the web address near the top of your browser to make sure you are on the real craigslist login page, https://accounts.craigslist.org
The safest way to login is go to the craigslist homepage directly by typing in the web address, and then clicking on the 'my account' link.
On the fake page, the URL in the browser bar clearly does not match the one on the page. But how many people actually read it? Any sysadmin will tell you that there's a hard core of users who don't read or unstand warnings, and obviously there are enough of them to make this scam worthwhile.
Just for the record, these are the IPs in this particular phish:
accounts.craiglist.org.postifedelta.com
116.12.52.25
Usonyx, Singapore
your.totalinternethost.com
64.191.40.21
Burstnet, Scranton