Craigslist – Confirmation for Posting Fraud

A clever Craigslist Phishing fraud is using a highly targeted approach to trick Craigslist advertisers into giving up their username and passwords.

The trick is to provide the headline from an actual Craigslist posting in order to help evade spam filtering and more importantly, to increase the likelihood of fooling the recipient into believing the “Confirmation for Posting” is legitimate.

A typical email will arrive such as:

Subject:     Your ad, titled ‘1970 short bed ford ‘ has been posted.
From:     craigslist <acount@pueblo.craigslist.org>

The Subject line will vary according to match the title of the specific Craigslist posting.

A nice touch on the part of the spammer is the spoofed From address looks legitimate at first glance, but the login is intentionally misspelled “acount@” rather than “account@”. This is an exceptionally very clever tactic because the minor spelling error won’t be noticed by the average recipient, but it will cause any replies to that address to bounce; thus slowing down attempted email notifications to legitimate Craigslist staff.

Here’s a copy of an actual Phishing message:

Craigslist Confirmation for Posting Fraud

Click for Larger Image

If the recipient is duped into believing this “confirmation” is real, their next thought is likely to be that since they didn’t post this ad, perhaps their account has been hacked.

If they then follow the link to login, they’ll be presented with a bogus login page that looks like this:

Craigslist Phishing Login Page

Click for Larger Image

If you then provide your Craigslist username and password to this form, two things will happen:

  1. Your username/password will be forwarded to the spammer who sent you this Phishing fraud in the first place
  2. Your browser will be redirected to the real Craigslist.org website in order to further trick you into thinking the alert was real and to prevent you from realizing you’ve just been socially hacked.

All in all, this one is a pretty successful fraud, not only confusing users into surrendering their Craigslist login credentials but it’s also convincing enough that many of our users will believe this email is legitimate even after we’ve blocked it as being spam and a fraud.

From the spammers perspective, that’s about as good as it gets.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , , , ,

Comments are closed.