Attackers Hijack Craigslist Emails to Bypass Security, Deliver Malware

Manipulated Craigslist emails that abuse Microsoft OneDrive warn users that their ads contain “inappropriate content.”

Musical instruments, motorcycle parts and now malware — Craigslist really does have it all.

The Craigslist internal email system was hijacked by attackers this month to deliver convincing messages, ultimately aimed at avoiding Microsoft Office security controls in order to deliver malware.

Sent from an authentic Craigslist IP address, the emails informed users that one of their published ads included inappropriate content and violated Craigslist‘s terms and conditions, giving false instructions on how to avoid having their accounts deleted.

Researchers at INKY discovered that the attackers manipulated the email’s HTML into a customized document with a malware-download link uploaded to a Microsoft OneDrive page. That page impersonated major brands like DocuSign, Norton and Microsoft.

Infosec Insiders Newsletter

That also allowed the campaign to slip past standard email authentication.

“Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors,” the researchers noted in a posting this week.

Abusing Anonymity

Craigslist is more than one gigantic yard sale. Its internal email system also lets interested buyers and sellers contact each other anonymously. According to INKY’s report, threat actors were able to abuse that Craigslist email system so as to deliver authentic-looking phishing emails to users who were actively trying to sell something on the site.

That means victims were likely already fielding random inquiries from the Craigslist system, so the malicious emails simply blended in.

“Craigslist knows the identities of everyone, but unless a correspondent discloses details, they are perfectly anonymous to others on the system,” the INKY report said. “This situation suits phishers just fine. They can shoot their poisoned arrows from behind a local mail proxy. And shoot they did — a number of times in early October.”

The phishing emails looked like a notice from Craigslist that the user’s ad contained inappropriate content. The letter then threatened to ban the user from the platform unless they filled out a form, accessed by a malicious link.

Impersonating Craigslist via an email system hack. Source: INKY.

Craigslist Phishing Emails Flag ‘Inappropriate Content’

“Our platform’s content publishing policy explicitly prohibits inappropriate content, your ad has received many red flags,” the email read. “A more detailed description of the problem is available in this form. It will be available 24 hours.”

Clicking on the “form” took users to a Microsoft OneDrive document, INKY explained.

“It appears as if bad actors were able to manipulate the email’s HTML to create that button and link it to OneDrive,” the researchers wrote. “Hovering over the link revealed a Russian domain (myjino[.]ru).”

Clicking on the link initiated a .ZIP file download containing a macro-enabled spreadsheet that delivered malware. To get around Microsoft Office security controls and run the macros, the malicious documents prompted victims to click on a button to “Enable Editing” or “Enable Content,” INKY said.

“The spreadsheet impersonated DocuSign and also used Norton and Microsoft logos to imply that the file was safe,” according to the report. “DocuSign does not in fact have a service called ‘DocuSign Protect Service.'”

Convincing-looking “DocuSign” request. Source: INKY.

When the INKY team tried to get the malware to work it led to a 404 error message, which the team surmised is either a mistake by the attackers, or an indication that they had already been found out and taken down by the host.

Nonetheless, the INKY team said this Craigslist-hosted attack could have been used to install a remote access tool (RAT), launch a ransomware attack, implement a first-stage implant like TrickBot, exfiltrate sensitive data or deploy a keylogger.

INKY advised Craigslist users to be on the lookout for these kinds of attacks, and added that any emails that seem unusual should be viewed as potentially malicious.

“Another red flag is the mixing of platforms,” the analysts added. “It doesn’t make sense to resolve a Craigslist issue through a document uploaded to OneDrive.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles