Craigslist has become a place for hackers to get the email addresses of the website’s users and send them phishing emails. These often contain brand impersonation, such as DocuSign, Microsoft, and Norton to suggest safety and make targets trust them, and sent fake Craigslist violation emails to lead victims to a malware download link eventually.
One such email prompted a user to click a compromised link citing “inappropriate content” and terms of use violation.
The compromised link given in the email led to an uploaded Microsoft OneDrive document hosting a “Download” button for filling an adjoined form and sending it over to [email protected]. This form also hosts fake antivirus and antimalware signs so users can get duped into trusting them.
Users often get tricked because the emails are sent using Craigslist domains, in this case, IP address 208.82.237.105, but are not directly sent by the website’s owner or admin systems.
However, researchers discovered the link led to a Russian domain (myjino[.]ru). Plus, the download itself is a compromised document “form_1484004552-10012021.xls,” already flagged by public cybersecurity advisors online.
Even though DocuSign does not have a service called “DocuSign Protect Service," this name was used to inspire trust adding the Norton and Microsoft logos as well. The brand noticed this misuse in November 2020, and it was posted in the alerts section of its website.
If unsuspecting targets go the distance with this malware, then they could have remote access tools covertly installed on their devices. They could also be subjected to a ransomware attack, Emotet-based email breach, log-in details exfiltration, keylogger installation, etc. Craiglist users are advised to exercise caution regarding all such emails and use only authenticated sources for processing user-related issues.