Disecting a Spoof Craigs List Email

Member for

7 months 4 weeks
Submitted by AlReaud on Tue, 12/27/2011 - 09:29

NOTE: Updated 11/15/2016

Today's blog entry will cover a little live action. This is a continuation of the attacks from French domains. Contrary to popular belief, all online attacks DO NO ORIGINATE FROM CHINA!

Following the receipt of the below email, I examined the email in detail (clicking on the image opens a full size image in another tab or window).

Craigs List phishing email attempting to get your login.

The most important above is that when you hover over the link, you can see in the status bar that it does not send you to the link displayed, but to a bogus link. Thunderbird picks up on this and flags the message as a possible scam message.

The IP address of this link is 94.23.22.118, and is a Plesk virtual machine on a cloud node. Attacks from that area have been ongoing for weeks... Zenmap indicates that it has the signature of a compromised machine, including all common mail ports open, such as Postfix smtpd, Courier pop3d, Courier imapd, with three distinct security certificates for three different organizations. Zenmap gives that bomb symbol, LOL! The Zenmap scan is long duration and stealthy to prevent the quarry from bolting, just like if you were tracking a deer.

Following through the link takes you to [http://]accounts.craigslist.org.user.login.qpef.craigslist-auth.info, which is a sub-domain of the same offending domain. What's interesting is the slick social engineering tool they use. It's in plain view, but they sucker you into accepting it (clicking on the image opens a full size image in another tab or window).

Craigs List account login phishing scam example.

First off, we see that plainly, the WARNING: tells one what to look for. So if one just looks into the address bar, one can see that it DOESN'T match the one in the warning. Paying attention will save your ass. Two scripts are indicated as being blocked. Those are the ones that they "borrow" from the actual true site. Another indication is that the site is not locked. There is no lock symbol or other indication that it is a secure (https) site. Again reading the warning will insure that this scam doesn't work for you.

The body is pretty slick also, almost copying verbatim the actual site, and one actually does post to login.php. however, not to https://accounts.craigslist.org/login

Firebug analysis of Craigs List phishing site code

Giving it bogus information sends one to http://www.craigslist.org/about/help/user_accounts. Making one think that it was a glitch at the server.

Shutting down this kind of site externally is hard. Because it relies on the cloud, it has a lot of power, and is therefore not subject to methods such as siege. However, there are significant weaknesses, as related by previous OpenVAS scans of the same IP area. We've previously scanned 94.23.205.180, a CMS attacker IP, and found 16 high level security issues. On this domain, OpenVAS reports seven high and five medium level weaknesses. One allows access to be gained to random user accounts. No wonder phishing mail is coming from this address!

As the sysops in that domain block (94.23.0.0/16) apparently can't or won't shut down those compromised virtual machines, I put these out. As the economy has gotten worse and individuals are becoming desperate for work, these kinds of scams keep popping up more and more.

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol type start> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id> <u> <s> <sup> <sub> <hr>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Image CAPTCHA
Enter the characters shown in the image.