Fake Automated Craigslist Email Notifications Link to Blackhole Exploit Kit

UPDATE: A big wave of emails purporting to be Craigslist notifications but containing links to websites hosting the Black Hole exploit kit hit the Internet yesterday, a day that already was filled with drama surrounding the LinkedIn password dump.

UPDATE: A big wave of emails purporting to be Craigslist notifications but containing links to websites hosting the Black Hole exploit kit hit the Internet yesterday, a day that already was filled with drama surrounding the LinkedIn password dump.

The malicious emails, 150,000 of which were caught by Websense Security Lab’s Cloud Email Security portal yesterday, attempt to convince recipients that “FURTHER ACTION IS REQUIRED TO COMPLETE [THEIR] REQUEST!!!” The emails go on to claim that recipients must follow the (malicious) link below in order to publish, edit or delete their ad or verify their email address. At the bottom of the email is a bold and capped piece of text that helpfully advises that users “KEEP THIS EMAIL.”

It is not clear if these emails are just blanketing random email addresses or exclusively targeting individuals who are currently running ads on Craigslist. Websense officials didn’t respond to a request for clarification on that point.

In an email recieved after publication Thursday afternoon, a Websense spokespoerson told Threatpost that the emails did not appear to be targeted specifically toward individuals running ads on Craigslist, but rather that they seemed to be part of a broad a spam campaign.

Websense lists “Models for fine” (systems / network), “Studio4PaintWorkCatskills” (education), and “Show Your Art” (cars+trucks) as a few of the email subjects popping up in the scam. Websense also reports that the malicious emails have seemingly legitimate sender addresses and are convincingly similar in appearance to real automated Craigslist notifications.

The malicious links in the emails are leading users to a compromised WordPress page containing obfuscated Java Script in the form of an iframe. According to Websense, the attackers are exploiting CVE-2010-0188 and CVE-2010-1885.

Suggested articles