We’re seeing a strong increase in Phishing Fraud emails targeting Craigslist.org accounts.
The emails generally arrive such as:
Subject: flagged & removed : 1977204121
From: “no-reply@craigslist.net” <no-reply@craigsliist.net>The ID/Case number in the subject line will vary in an attempt to evade spam filtering.
The sending address is spoofed as the emails are not actually sent from Craigslist.org servers.
An example email:
Stealing Craigslist usernames and passwords is becoming increasingly popular amount Internet spammers and hackers.
The latest campaign warns of account suspension in order to get the recipient’s attention:
Subject: craigslist.org: Account Temporarily suspended
From: ”craigslist.org” <noreply@craigslist.org>
Though the message actually comes from hijacked Yahoo email accounts (from nm11-vm0.bullet.mail.ac4.yahoo.com) the email itself is a pretty good approximation of a legitimate Craigslist notification:
Click for Larger Image
One of the tactics that works very well for spammers is tricking (Phishing) users into sharing their email account login and passwords and then using the hijacked account to send spam.
The advantages of using a hijacked account include:
The only downside is since many users will eventually take back their accounts (or admins will disable them) the spammer needs a constant source of new email accounts.
More Phishing frauds are being received for TD Canada Trust Bank customers:
TD ALERT : You have received a new payment.
TD Canada Trust Bank. <e-payment@easywebsoc.td.com>
This campaign appears to originate from accounts on SimpleHELIX web servers:
‘from defend3.simplehelix.com ([206.126.97.8]‘
Here’s a well designed Phishing fraud targeting USAA.com users:
Subject: Notification at usaa.com
From: USAA <USAA.Web.Services@customermail.usaa.com>
The somewhat standard warnings are used:
Dear Customer,
As part of our security measures, we regularly screen activity in the usaa.com system. We recently contacted you after noticing an issue on your account. We requested information from you for the following reason: more »
Lots of Phishing frauds targeting JP Morgan Chase customers.
Subject: Chase Bank Alert: Your Account Is Inactive
From: JP Morgan Chase Online <Membership@chase.com>
These spoofed notices go on to warn recipients: more »
The “Phish of the Week” spoofs legitimate Wells Fargo Bank email:
Subject: Account Update
From: Wells Fargo Bank <alert@wellsfargobank.com>
The bogus alert says, in part:
As part of our security measures, we regularly screen activity in the Wells Fargo system. During a recent screening, we noticed an issue regarding your account.
A slight error has been detected while making recent changes in your account information.
more »
A new and very well crafted spoofed Bank of America Alert is making the rounds:
Subject: Bank of America Alert : Account Locked
From: Bank Of America <onlinebanking@ealerts.bankofamerica.com>
In reality, the email address is spoofed and could be coming from anywhere, but the ones we’ve reviewed so far came from hostgator.com accounts through their annonymous “WebsiteWelcome” domain:
gateway08.websitewelcome.com ([69.56.142.29])
Phishing frauds targeting JP Morgan Chase are arriving, identified as:
Subject: Chase Online :Unauthorized Account Access
From: Chase Online <customerservice@chase-online.com>
The sending address is spoofed as these actually originate from any number of otherwise legitimate hijacked web servers.
The fraudulent email attempts to convince recipients that their account is in jeopardy and that as a result they need to log into the Chase site. more »
The latest version in the never-ending stream of Paypal Phishing frauds is arriving in in-boxes, identifying itself as:
Subject: Your account Paypal has been limited !!
From: Paypal services <paypal@security.com>
The sending address is of course spoofed, actually sent from servers like:
‘from host.seconde-dns4.com ([94.23.203.198])
The email typically contains a warning such as this:
