marco
blog
Menu:
Craigslist malware
July 2, 2010
I've just being targeted by an interesting malware attack on Craigslist. The attack works as follows. I am a legitimate user of Craigslist and I have just posted an announcement to sell an item. A few hours later, I receive an email asking:
u still offer?
I reply back back that the item is still available and again after a few hours I get the following email:
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can't afford another mistake as i did in the past.
Please check the video and confirm that it's the same u have.
http://fav-vid.com/playvideo.php?video=jgahnYYNPe0
If its the same one I will be there today to buy it
Thanks
Mmmh, fairly generic message (no reference to the actual item I'm
selling) and a "vid" link... Smells phishy. Just to be sure, I follow
the link and after a few redirects I wind up on
http://favvids.net/playvideo.php?video=jgahnYYNPe0&feature=youtube_gdata&name=my_stuff
The picture above shows a screenshot of this site.
Notice the fake notification bar on the top that resembles the one used
by Internet Explorer. Of course, it turns out that we need a "player",
the FLVDirect Player, to
actually watch the video. Sounds familiar...
If I try to download the player, I am redirected to another site,
www.flvpro.com, which finally sends the binary.
The binary has fairly high detection on
VirusTotal (12/41 at this time).
Another curiosity: if one arrives on the site referenced in the email
with JavaScript disabled and attempts to download the player, he gets
redirected to www.thislinkhasbeendisabled.com, which laconically
announces:
This link has been disabled
It was surely a throw-away address, but as a reference, the original sender on Craigslist was allenekf6dok3z@aim.com.
Stay away from this guy and these sites...
