Cybercriminals are using Craigslist email notifications to send phishing links, according to Roger Kay at INKY. The emails contain links to download a document with malicious macros.

“In early October, several INKY users received real Craigslist email notifications informing them that a published ad of theirs included ‘inappropriate content’ and violated Craigslist’s terms and conditions,” Kay writes. “The notifications gave false instructions on how to avoid having their accounts deleted. In our analysis, we learned that a common thread among recipients of this particular phish was the fact that they were active Craigslist users. The notifications were ‘real’ in the sense that they really did come from a Craigslist domain, but they were fake in the sense that Craigslist itself, either its humans or its machines, did not intend to send them. Without verification from Craigslist, we can’t be sure, but it appears as if Craigslist was compromised since the recipients were not random (they posted ads on the platform) and the emails originated from Craigslist.”

Kay notes that the abuse of Craigslist’s platform allowed the messages to avoid detection by security filters.

“The phishers were able to manipulate the Craigslist email system to send a fake violation notification to that individual,” Kay says. “Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors.”

Kay concludes that people should be wary of unsolicited emails that ask them to click a suspicious link.

“Recipients should be on the lookout for unusual requests,” Kay says. “A red flag ought to go up right away if a violation notice comes in that doesn’t correspond to any recipient behavior on the platform in question. Another red flag is the mixing of platforms. It doesn’t make sense to resolve a Craigslist issue through a document uploaded to OneDrive. Recipients should also be suspicious about the indirect way they are being asked to sign the form. Proper protocol would have the form attached directly to the email rather than requiring a trip up to OneDrive and an additional link-click there.”

And, sadly, urgency should always raise our suspicions. “Act now” can appeal equally to fear and greed, and those two emotions are seldom conducive to cognitive clarity or situational awareness. New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.