Attackers Hijack Craigslist Emails to Bypass Security, Deliver MalwareOriginal article: https://threatpost.com/attackers-hijack-craigslist-email-malware/1757...
Click Here:- https://www.youtube.com/watch?v=rM8SZ-SjCZEfeature=youtu.be
Musical instruments, motorcycle parts and now malware — Craigslist really does have it all.
The Craigslist internal email system was hijacked by attackers this month to deliver convincing messages, ultimately aimed at avoiding Microsoft Office security controls in order to deliver malware.
Sent from an authentic Craigslist IP address, the emails informed users that one of their published ads included inappropriate content and violated Craigslist‘s terms and conditions, giving false instructions on how to avoid having their accounts deleted.
Researchers at INKY discovered that the attackers manipulated the email’s HTML into a customized document with a malware-download link uploaded to a Microsoft OneDrive page. That page impersonated major brands like DocuSign, Norton and Microsoft.
That also allowed the campaign to slip past standard email authentication.
“Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors,” the researchers noted in a posting this week.
Abusing Anonymity
Craigslist is more than one gigantic yard sale. Its internal email system also lets interested buyers and sellers contact each other anonymously. According to INKY’s report, threat actors were able to abuse that Craigslist email system so as to deliver authentic-looking phishing emails to users who were actively trying to sell something on the site.
That means victims were likely already fielding random inquiries from the Craigslist system, so the malicious emails simply blended in.
“Craigslist knows the identities of everyone, but unless a correspondent discloses details, they are perfectly anonymous to others on the system,” the INKY report said. “This situation suits phishers just fine. They can shoot their poisoned arrows from behind a local mail proxy. And shoot they did — a number of times in early October.”
