Hackers are abusing a Craigslist security flaw to infect devices

An abstract image of digital security.
(Image credit: Shutterstock)
Audio player loading…

A new email phishing (opens in new tab) campaign is seeing malicious actors abusing a vulnerability in the Craigslist mailing system to distribute malware (opens in new tab).

According to the report from INKY, a malicious actor (or multiple actors) somehow managed to compromise the Craigslist mailing system and started sending out notifications to active users of the platform. The email notification, a simple message with just a few sentences and a button, warned the user that their recent ad included inappropriate content and violated Craigslist’s terms.

The button in the email claims to forward the reader to the platform, in order to remedy the problem. However, simply hovering the mouse over the button reveals the real link - a Russian domain - myjino[.]ru.

Abusing legitimate hosting sites

If the victim tries to remedy the issue by following the instructions in the email and clicking the link in the message, they would be sent to a customized document, uploaded to Microsoft OneDrive. So, in this campaign, a legitimate hosting service was abused to host a malicious file.

The victims were then instructed to download that file, fill out the form, and return it to violations@craigslist.org.

Clicking the download button, the victim would receive a compressed file named “form_1484004552-10012021.zip.” Uncompressing it gets them a spreadsheet, with macros enabled, titled “form_1484004552-10012021.xls”. This file was already flagged as malicious, by multiple security vendors.

To add to the “legitimacy” of the document, the malicious actors also added logos of DocuSign, Norton and Microsoft. Running the malware (opens in new tab)in a sandbox environment, the researchers said it “created and modified” multiple files. The malware also tried to connect to an external server, in order to download additional components, or possibly exfiltrate data. However, attempts received a “404 not found” error.

Looking to stay safe online? You should also check out our rundown of the best ransomware protection (opens in new tab) services out there today

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.