This is priceless!
We just intercepted what might be the coolest Craigslist Phish ever. Maybe even the trickiest Phishing fraud ever — it’s definitely among the best we’ve seen.
For the sake of context, the normal Phishing and identity theft attempt goes something like this: You get an email that says something dire like “your account has been hacked/suspended/overdrawn or whatever” and then presents you with a link to a fake login page so the phisher can trick you into providing your username and password.
That is, of course, assuming you click the link and fill in the login form.
Most of the time the hyper-linked text will say something like “Log in” or “Click Here” or “Access Your Account” and if you hover your mouse over the link and look at the status bar of your email client you’ll see that the link actually goes to an abandoned URL like “abctreesurgery.com”; a random one like “sksjhrkeykser.com” or something on a hacked google groups page.
But this Phisher is in a class of their own.
The email itself is fairly typical:
Subject: Please verify your account
From: “email@example.com” <firstname.lastname@example.org>
To: [blank]Your account has been suspended! According to our records, your account has violated our site policies.
If you think we’ve made a mistake or want to appeal our decision, please click on the below link or copy and paste into your browser:
Click here to log in
to update your account with our customer service representatives.
Designated trademarks and brands are the property of their respective owners.
Craigslist and the Craigslist logo are registered trademarks or trademarks of Craigslist, Inc.
Copyright © 2010 Craigslist, Inc. All Rights Reserved.
The fun part is the target of the “Click here to log in” link which is:
This alone gave us a good laugh when we saw it but the site at that link is even better.
The screen capture below shows what you’ll see if you follow the “Click here to log in” link (as far as we can tell it’s safe but don’t click it if you don’t have good anti-virus software.)
If the site warns you about Phishing sites can’t really be Phishing attack site itself, right?
It even links to a site that has more information about Phishing. If they were trying to steal your login information, they wouldn’t actually include such warnings, would they?
Since most all of the links on this page link to real Craigslist pages, it must be legit…
In spite of the brilliance of the wolf-in-sheep’s-clothing tactic the site is actually kind of clumsy.
The layout and HTML are not quite the quality that you would expect from a major web player like Craigslist (though Craigslist is surprising sloppy itself). In fact, a good way to identify a lot of lame Phishing/Fraud/Identity Theft attempts is that they are visually ugly.
Not that this one is lame, we give them a lot of credit for originality, they just need to get a better web designer, and they probably will!
To a certain extent this page actually offers excellent advice. If you get a message suggesting that you should log in to your account and fix something then you should type in the web address of the site. Find the address on your bill or on their promotional materials, don’t use the one supplied by a questionable email. For example Craigslist is “www.craigslist.org” (although they do own “craigslist.com” as well).
The anti-fraud site linked from this phishing site is also worth reading. If you learn how these guys operate you’ll be less likely to fall for their tricks. Even the really tricky ones like the one featured today.
And while we’re on the subject, here’s another one that uses the “email@example.com” email address:
Subject: craigslist.org: password reset for craigslist user account
The body of this message is actually an image file that looks like this:
The links on this page link to a site at:
Warning: Do not visit this site without up to date anti-virus software.
Our browser (Firefox) flagged this page as a “reported forgery” and our anti-virus software (AVG) warned us that it was a “suspected phishing page” when we ignored the browser warning. The actual page looks pretty much like the one above but without the “WARNING” section. (We ignored the anti-virus warning too, but remember, we’re professionals, don’t try this at home.)
We’re pretty sure this is an earlier campaign by the same phisher. We found it in our database when we went looking for variations of the one above.
This means that this campaign is evolving. They may eventually get around to copying the actual Craigslist.org login page which might make it a little harder to spot. Just remember, never click “login” links in emails, even if your bank sends them in real emails.
Make that especially if your bank sends them in real emails, since they’re just making it that much easier for Phishers. If you get an email that suggests you need to log in then type in the web address and use an address from a source other than the email itself.
OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.
Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."
OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.