marco

blog

Menu:

• home
• publications
• projects
• blog

Craigslist malware

July 2, 2010

I've just being targeted by an interesting malware attack on Craigslist. The attack works as follows. I am a legitimate user of Craigslist and I have just posted an announcement to sell an item. A few hours later, I receive an email asking:

u still offer?

I reply back back that the item is still available and again after a few hours I get the following email:

Thank you for getting back to me. 

I just want to make sure i am going to buy the same which i am looking for. 
I can't afford another mistake as i did in the past. 
Please check the video and confirm that it's the same u have. 

http://fav-vid.com/playvideo.php?video=jgahnYYNPe0 

If its the same one I will be there today to buy it 

Thanks

Mmmh, fairly generic message (no reference to the actual item I'm selling) and a "vid" link... Smells phishy. Just to be sure, I follow the link and after a few redirects I wind up on http://favvids.net/playvideo.php?video=jgahnYYNPe0&feature=youtube_gdata&name=my_stuff

The picture above shows a screenshot of this site. Notice the fake notification bar on the top that resembles the one used by Internet Explorer. Of course, it turns out that we need a "player", the FLVDirect Player, to actually watch the video. Sounds familiar... If I try to download the player, I am redirected to another site, www.flvpro.com, which finally sends the binary. The binary has fairly high detection on VirusTotal (12/41 at this time).

Another curiosity: if one arrives on the site referenced in the email with JavaScript disabled and attempts to download the player, he gets redirected to www.thislinkhasbeendisabled.com, which laconically announces:

This link has been disabled

It was surely a throw-away address, but as a reference, the original sender on Craigslist was allenekf6dok3z@aim.com.

Stay away from this guy and these sites...

Posted by marco in malware

---