Phishing attack exploits Craigslist and Microsoft OneDrive

1 month ago 8

A phishing run took vantage of the message relay relation connected Craigslist, which allows attackers to stay anonymous, Inky says.


Image: GrafVishenka, Getty Images/iStockPhotos

Cybercriminals volition look for immoderate weakness oregon regulation successful an different morganatic work to assistance them transportation retired an attack. That's existent of a caller phishing run that uses some Craigslist and OneDrive to instrumentality radical into installing malware. A report published Tuesday by email information supplier Inky describes however this onslaught tried to play out.

SEE: Social engineering: A cheat expanse for concern professionals (free PDF) (TechRepublic)  

In October, respective Inky customers received an email notification allegedly from Craigslist informing them that an advertisement they had posted included "inappropriate content," frankincense violating Craigslist's presumption and conditions. The recipients were fixed instructions to forestall their accounts from being deleted.

Clicking connected a fastener successful the email was expected to instrumentality radical to a signifier papers that had been uploaded to an existent Microsoft OneDrive site. Users were told to click connected a download nexus to get the form, capable it out, and past nonstop it to an email code of


Image: Inky

In actuality, clicking connected the nexus downloaded a zip record that, erstwhile uncompresssed, triggered a macro-enabled Excel spreadsheet. The spreadsheet spoofed DocuSign and utilized Norton and Microsoft logos to suggest that the record was safe. Anyone who clicked connected the commands for Enable Editing and Enable Content bypassed Microsoft Office information and allowed the macros to beryllium executed.

Triggering the macros successful a sandbox environment, Inky recovered that definite files were created, portion others were modified. The malware besides tried to link to different websites to download much components oregon exfiltrate data. However, these attempts failed, either due to the fact that the attackers made mistakes successful their codification oregon the malicious contented had already been discovered and removed.

Had the malware corruption been successful, the attackers would person been capable to instal a distant entree tool, instal a keylogger, bargain saved login credentials from a browser, motorboat a Trojan to compromise an email account, oregon adjacent behaviour a ransomware attack.

SEE: Warning: 1 successful 3 employees are apt to autumn for a phishing scam (TechRepublic)

To propulsion disconnected this scam, the attackers employed a fewer antithetic tactics.

The emails were sent to progressive Craigslist users alternatively than conscionable random people. The phishing messages themselves came from a Craigslist domain and an authentic Craigslist IP address. As they seemed to beryllium legitimate, the messages were capable to sneak past the modular email information protocols. Since Craigslist didn't mean to nonstop these emails, Inky believes the tract whitethorn person been compromised, particularly since the users were specifically targeted.

The criminals down this scam besides abused a Craigslist relation known arsenic message relay. To assistance its users easy bargain and merchantability items, Craigslist lets them speech emails with each other. But alternatively of seeing the sender's existent email address, the recipient sees a agelong hex drawstring with the domain. That process keeps the email addresses of morganatic users backstage but besides gives hackers a means to stay anonymous.

Further, the attackers utilized a morganatic Microsoft OneDrive site, impersonated DocuSign to springiness the cognition an aerial of authenticity and flashed Norton and Microsoft logos to lend further credibility to the connection and the resulting form.

To support yourself and your enactment from an onslaught similar this, Inky offers a fewer tips:

  • Watch retired for antithetic requests. In this instance, your Spidey consciousness should commencement tingling if you person a usurpation announcement that doesn't correspond to immoderate enactment you've performed connected the tract successful question.
  • Be wary of the mixing of platforms. In the run described by Inky, it makes nary consciousness that a Craigslist occupation would beryllium resolved done a papers uploaded to OneDrive.
  • Look retired for signs of indirect ways to resoluteness an issue. In this case, you should beryllium suspicious astir the indirect mode you're asked to entree and capable retired a form. With a morganatic email, the signifier would beryllium attached to the connection alternatively than necessitate you link to OneDrive.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article