Hackers are abusing a Craigslist security flaw to infect devices

Known malware is making the rounds on Craigslist

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A newemail phishingcampaign is seeing malicious actors abusing a vulnerability in the Craigslist mailing system to distributemalware.

According to the report from INKY, a malicious actor (or multiple actors) somehow managed to compromise the Craigslist mailing system and started sending out notifications to active users of the platform. The email notification, a simple message with just a few sentences and a button, warned the user that their recent ad included inappropriate content and violated Craigslist’s terms.

The button in the email claims to forward the reader to the platform, in order to remedy the problem. However, simply hovering the mouse over the button reveals the real link - a Russian domain - myjino[.]ru.

Abusing legitimate hosting sites

If the victim tries to remedy the issue by following the instructions in the email and clicking the link in the message, they would be sent to a customized document, uploaded toMicrosoftOneDrive. So, in this campaign, a legitimate hosting service was abused to host a malicious file.

The victims were then instructed to download that file, fill out the form, and return it toviolations@craigslist.org.

Clicking the download button, the victim would receive a compressed file named “form_1484004552-10012021.zip.” Uncompressing it gets them a spreadsheet, with macros enabled, titled “form_1484004552-10012021.xls”. This file was already flagged as malicious, by multiple security vendors.

To add to the “legitimacy” of the document, the malicious actors also added logos of DocuSign, Norton and Microsoft. Running themalwarein a sandbox environment, the researchers said it “created and modified” multiple files. The malware also tried to connect to an external server, in order to download additional components, or possibly exfiltrate data. However, attempts received a “404 not found” error.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Looking to stay safe online? You should also check out our rundown of thebest ransomware protectionservices out there today

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Don’t search for information on cats at work — you could be at risk of being hacked

This dangerous new malware is hitting Windows devices by hiding in games

Nvidia’s GeForce Now Priority membership has upgraded to ‘Performance’ - introducing a 1440p resolution and ultrawide support