Malicious URLs in Fake Craigslist Emails
Today, Websense® Security Labs™ ThreatSeeker™ Network has seen a barrage of malicious emails pretending to be automated notifications from Craigslist. These emails instruct the recipient to click a link to complete a Craigslist request. The URLs in these emails redirect the user to malicious web sites hosting Blackhole Exploit Kit. So far we have seen over 150,000 of these emails in our Cloud Email Security portal. Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.
The emails have subject lines like:
POST/EDIT/DELETE : "Models for fine" (systems / network)
POST/EDIT/DELETE : "Studio4PaintWorkCatskills" (education)
POST/EDIT/DELETE : "Show Your Art" (cars+trucks)
The malicious emails are similar in appearance to legitimate Craigslist automated email notifications, including a legitimate looking sender address and name:
Here we can see the headers and SMTP transaction, showing Craigslist sender address and mail server:
Clicking on the link takes the victim to a compromised WordPress page containing obfuscated Java Script:
After deobfuscation, we can see an iFrame redirection to a malicious web site:
The malicious website tries to exploit the victim's computer using vulnerabilities such as:
More details can be found here.
The original links in the emails were detected by ACE in real-time using our Real-Time Security Scanner. In addition, we have increased the proactive detection of similar campaigns to our email security customers.