Craigslist may be the place people head to buy second-hand goods, but it also now being used by threat actors to bypass Microsoft Office security. Security researchers for INKY found Craigslist's internal email network was breached in a targeted attack aimed at Microsoft OneDrive users.
It seems the email system was used to send legitimate looking message. In fact, the messages come from a real Craigslist IP, making them seem authentic. In the emails, users are told that an add they placed on the platform is in violation of terms and conditions.
Accompanying the warning are instructions for the user to avoid their account being removed. One problem is the instructions and the whole email are fake.
INKY reports the attackers were able to hijack Craigslist's email network and change the email HTML to a custom message that has a malware download link on Microsoft OneDrive. This document mimics legit software like Norton and DocuSign. The victim believes they are following real instructions but are really being directed to malware.
“Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors,” the research team says.
“Craigslist knows the identities of everyone, but unless a correspondent discloses details, they are perfectly anonymous to others on the system,” INKY continues. “This situation suits phishers just fine. They can shoot their poisoned arrows from behind a local mail proxy. And shoot they did — a number of times in early October.”
The message on the email reads:
“Our platform's content publishing policy explicitly prohibits inappropriate content, your ad has received many red flags,” the email read. “A more detailed description of the problem is available in this form. It will be available 24 hours.”
When the user clicks the “form”, they are taken to an infected Microsoft OneDrive document.
“It appears as if bad actors were able to manipulate the email's HTML to create that button and link it to OneDrive,” the researchers wrote. “Hovering over the link revealed a Russian domain (myjino[.]ru).”
Tip of the day: Is your system drive constantly full and you need to free up space regularly? Try Windows 10 Disk Cleanup in extended mode which goes far beyond the standard procedure. Our tutorial also shows you how to create a desktop shortcut to run this advanced method right from the desktop.