I’ve just being targeted by an interesting malware attack on Craigslist.
The attack works as follows. I am a legitimate user of Craigslist and I
have just posted an announcement to sell an item. A few hours later, I
receive an email asking:
u still offer?
I reply back back that the item is still available and again after a few
hours I get the following email:
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can't afford another mistake as i did in the past.
Please check the video and confirm that it's the same u have.
http://fav-vid.com/playvideo.php?video=jgahnYYNPe0
If its the same one I will be there today to buy it
Thanks
Mmmh, fairly generic message (no reference to the actual item I’m
selling) and a “vid” link… Smells phishy. Just to be sure, I follow
the link and after a few redirects I wind up on
http://favvids.net/playvideo.php?video=jgahnYYNPe0&feature=youtube_gdata&name=my_stuff
The picture above shows a screenshot of this site.
Notice the fake notification bar on the top that resembles the one used
by Internet Explorer. Of course, it turns out that we need a “player”,
the FLVDirect Player, to
actually watch the video. Sounds familiar…
If I try to download the player, I am redirected to another site,
www.flvpro.com, which finally sends the binary.
The binary has fairly high detection on
VirusTotal (12/41 at this time).
Another curiosity: if one arrives on the site referenced in the email
with JavaScript disabled and attempts to download the player, he gets
redirected to www.thislinkhasbeendisabled.com, which laconically
announces:
This link has been disabled
It was surely a throw-away address, but as a reference, the original
sender on Craigslist was allenekf6dok3z@aim.com.
Stay away from this guy and these sites…
View full post on Marco’s Blog
Related Posts
- Caveat Emptor: Malware Links in Craigslist Ads
Yesterday, over 40 Blue Coat Web Filter customers went boat shopping on Craigslist.How do I know this? Well, there were 42 requests to a malware domain that was being used in Craigslist ads all over t... - Osama bin Laden dead – so watch for the spams and scams
Google's top-trending Anglophone search term right now is, understandably, "osama bin laden dead". Google officially describes its hotness (you couldn't make this stuff up) as volcanic.The short versi... - Remove Antivirus Center (Uninstall Guide)
Antivirus Center is a rogue anti-spyware program from the same family as Internet Protection. This malware is installed onto your computer through the use of fake scanner pages and Trojans that preten... - Compromised ads leading to TDSS rootkit infections
As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and s... - Data thefts far more common than just Sony and Epsilon
In the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover ... - Be Careful If Searching For Images of Kate Middleton’s Dress
Real-world events occasionally generate a massive number of online searches. Japan's recent earthquake and the subsequent tsunami that followed is a good example of a sudden event that turned the worl... - IME Injection Evolution
Recently,we found many malwares using a smarter way to inject the specified dll into system related to IME management. Comparing to the old IME injection tricks, it is much more difficult to be discov... - FBI takes on Coreflood botnet – but is this a step too far?
Two weeks ago, the Federal Bureau of Investigation (FBI) obtained a court order in Connecticut, USA. This court order allowed the FBI to undertake an anti-cybercrime operation of a sort which had neve... - Free anti-virus for Mac named Best Anti-Malware solution at SC Awards
Who would have thought it? A free anti-virus program for Apple Macs being named best anti-malware solution ahead of those security products for boring old Windows.Well, that's exactly what happened at... - A case of malware starring Mario. or should it be Wario?
I always find it interesting to know what goes on in cyber criminals' minds.Lately I've been observing a deluge of websites being hacked and serving drive-by downloads in the form ...
Posted on 03 July 2010. Tags: Craigslist, craigslist malware, favvids net, Malware, watch-stuff net, watch-stuff us
Just had the exact same experience. Did not click on the link. Seems way too phishy since I even replyed back with my phone number and they decide to try to make me click on a email link. It was not the same email address though…this was mine richardkuehllmv@aim.com . thanks for posting this.
Thankyou for confirming this. I got the exact same response from my ad on Craigslist. The responder’s email for me was: creolauro7@aim.com.
leliadudley672@aim.com is another username they use, i got the same message and googled before downloading this B.S.
same thing today from stellauqd889@aim.com
FROM: cheryl15720@aim.com
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://fav-vid.net/playvideo.php?video=jgahnYYNPe0
If its the same one I will be there today to buy it
Thanks
happened to me too. the e-mail was janey10142@aol.com …
Mine was betty53410@aim.com. I was wondering if there is a place in which I can report this “Betty” person. I even gave the person my # like Mike but they sent me the link and something just did not seem right.
I had the same thing happen to me – glad I found this before clicking the link. The email on mine was jeanene32452@aim.com
I tried to sell something on Craigslist yesterday and I got the same messages that you mentioned above. I didn’t click on the link because it seemed suspicious. Mine was sent from “eulaliapeters454@aim.com”.
I’m glad I found your message above before I took a chance and tried the link!
Same thing from:
dotrxyfu@aol.com
Hi,
Same thing here. My phishing request came from rozanne36339@aol.com. If you look at the source of the Video, it’s a Youtube video for a rock band.
http://www.youtube.com/watch?v=jgahnYYNPe0
Nice try scammers!
Though unfortunately, a lot of folks will be caught by this.
Same happened to me. Really dumb because I posted plenty of pictures (of dishes for pete’s sake!) so there was no need whatsoever for me to look at a stupid video. And they used similar wording: “just want to make sure i am going to buy the same which i am looking for. I can’t afford another mistake as i did in the past. Please check the video and confirm that it’s the same u have.” then they listed the favvid link. Grrr.
Happened to me as well, their email: noramnwz3@aol.com
happened to me.. luckily i didnt click on link…came from jilliannejrk@aol.com
same for me. joelle22834@aol.com
I just got an email today about something I was selling on craigslist asking if I still had the item. I replied saying I did and asked if he was interested, and he sent me the exact same email, word for word, as you put here. I was a little suspicious about it (I’m selling a video game, and I figured he could easily google the title and get his answer), so I copied the link and googled it to make sure it was legit. Now I know it’s not. Thanks for the warning before I made a mistake!
same here with
phebegoodwin307@aol.com
I received 12 of these intitial contacts. Don’t open the attachment on the regular mail eigher, it injects your system with the AV virus. I recived the video e-mail later.
Same thing for me today. E-mail from edrisray400@aol.com
Didn’t follow link.
Got the same thing, but did click the link. Refused to download whatever they expect you to install. Wrote back and said I could not open it and the pictures were the item.
This one was from vipvcc@aol.com. I think I will sign him up for some Viagra, porn and other crap in my spam box.
yep… me too…it happened today.
Thank you
Got the same thing from: janieturek084@aol.com
I received the EXACT same e-mail on my craigslist listing. It seemed very fishy, so I entered the website in a google search and found this site (thankfully). Mine came from a different e-mail address:
russellvrmnh@aol.com
I also has the same e-mal from essiegunn488@aim.com If those fools on CL would think for a second maybe they could do something about this, however all they do if flag post because they have no life. I am sure alot of CL workers are involved in these scam e-mails.
So frustrating! I did click on the link, but then thought it seemed fishy. Did not download what it said I needed to watch the video and googled the link instead. Mine was from jodyvolinouim@aim.com. Emailing craigslist to see if they can put this info on their site to warn people.
Still going on. Mine was stephaniaaai214@aim.com
To all: please send the malicious url to my email [admin at computersecurityarticles dot info] for further analysis.
Thanks!
Same thing here. I really believed it as this has never happened to me before on Craigslist. I wrote back that I couldn’t see the page and have heard nothing back. I’m asking a dumb question, but what is the scam?
Here is the email address this came from:
desiraejob274@aim.com
Sent info to Craigslist.com via their online form, referencing this thread.
Just more of the same…. Surely they better ways to spend their time???? eulaliadm31@aim.com
I received the same email. Luckily, I am a very paranoid person and did not click it. Googled and found it was a malware. an FYI, this is what mine said:
From: lisandratvm401@aim.com
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://watch-stuff.us/playvideo.php?video=jgahnYYNPe3
If its the same one I will be there today to buy it
Thanks
Mine craigslist response initiated with just “im interested”, I replied with “still available and my #”
then came the bla, bla, can’t effort the same mistake please click the site and tell me if its the same. Sensing the oddness, I replied with “got another email from you but my firewall wont give me excess”, lorinajob581 replied with the same attempt.
Thanks all for sharing.
Same thing from mariqom@aim.com
Almost fell for it for some reason, glad I came here.
Got one from sophiaxipg1@aol.com
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://watch-stuff.us/playvideo.php?video=jgahnYYNPe3
If its the same one I will be there today to buy it
Thanks
same message but i did click on it and tried to download and my computer said connection failure and said it didnt finish. my computer is working fine, i did look it up on youtube and its a documentary about aids a band or musicians trying to get people to know the risks of aids and how to prevent them. after i watch it i wasnt so mad because some people will go to great length for the common good of people.
I posted an ad on Craigslist (Los Angeles) and got similar email but from sidramet84@aim.com
Figured it was fishy because it was sent 4am and how many people shop at this time?
The URL is watch-stuff[.]us, which according to godady was registered july 11th (but op’s post is July 3rd??) I didn’t click on the link but went directly to URL before googling the site to see if it is legit.
Anyway I reported the website to
http://www.google.com/safebrowsing/report_badware/
____
Here is the whois…
Link: https://www.godaddy.com/gdshop/jump_pages/whois_underlying_data.asp?se=%2B&ci=4854&domain=watch-stuff.us&isc=&prog_id=godaddy
__
WHOIS Underlying Registry Data:
watch-stuff.uswhois.nic.usINTERNET.BS.CORP11-JUL-201010-JUL-201111-JUL-2010NS-UK.TOPDNS.COM|NS-USA.TOPDNS.COM|NS-CANADA.TOPDNS.COM|clientTransferProhibited|imgpopads@gmail.comkirakka kongole11601822800Domain Name: WATCH-STUFF.US
Domain ID: D28212497-US
Sponsoring Registrar: INTERNET.BS.CORP
Sponsoring Registrar IANA ID: 814
Registrar URL (registration services): http://www.internet.bs
Domain Status: clientTransferProhibited
Registrant ID: INTE4NUO8PE4DLJK
Registrant Name: kirakka k
Registrant Address1: ongole
Registrant City: ongole
Registrant Postal Code: 500072
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +91.9935950335
Registrant Email: imgpopads@gmail.com
Registrant Application Purpose: P3
Registrant Nexus Category: C11
Administrative Contact ID: INTEWOX5NSGPIZDS
Administrative Contact Name: kirakka k
Administrative Contact Address1: ongole
Administrative Contact City: ongole
Administrative Contact Postal Code: 500072
Administrative Contact Country: India
Administrative Contact Country Code: IN
Administrative Contact Phone Number: +91.9935950335
Administrative Contact Email: imgpopads@gmail.com
Billing Contact ID: INTEYPKRE00FK5KJ
Billing Contact Name: kirakka k
Billing Contact Address1: ongole
Billing Contact City: ongole
Billing Contact Postal Code: 500072
Billing Contact Country: India
Billing Contact Country Code: IN
Billing Contact Phone Number: +91.9935950335
Billing Contact Email: imgpopads@gmail.com
Technical Contact ID: INTESV6349F785GT
Technical Contact Name: kirakka k
Technical Contact Address1: ongole
Technical Contact City: ongole
Technical Contact Postal Code: 500072
Technical Contact Country: India
Technical Contact Country Code: IN
Technical Contact Phone Number: +91.9935950335
Technical Contact Email: imgpopads@gmail.com
Name Server: NS-UK.TOPDNS.COM
Name Server: NS-USA.TOPDNS.COM
Name Server: NS-CANADA.TOPDNS.COM
Created by Registrar: INTERNET.BS.CORP
Last Updated by Registrar: INTERNET.BS.CORP
Domain Registration Date: Sun Jul 11 12:25:59 GMT 2010
Domain Expiration Date: Sun Jul 10 23:59:59 GMT 2011
Domain Last Updated Date: Sun Jul 11 12:26:26 GMT 2010
>>>> Whois database was last updated on: Tue Jul 13 00:58:05 GMT 2010 <<<<
The same thing happened to me too…the email address was margheritapups@aol.com and the link was
http://watch-stuff.net/playvideo.php?video=jgahnYYNPr4
same happened to me it was earlier this month email was desirecin7@aol.com
I received it as well.
lynbmfpo@aol.com
http://watch-stuff.net/playvideo.php?video=jgahnYYNPr4
same from charisekhml@aol.com and hilarypusjq@aol.com
I got that same email today. I looked it up online before opening. Thanks for the info.
Same thing here… they seem to wait some time between messages.
This one was from “reginestde@aol.com”.
Me too…smarter than they are I guess. It seems to be all from AIM emails too.
Got one too. alene95949@aim.com .
Yep! some moron just tried to swindle me the exact same way as well. Obviously, he must not realize the power of Google. The email address of the loser is: dani09672@aim.com
I got the same email today. Thanks
yep just happend to me people need to get a life
heres what he said
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://watch-stuff.net/playvideo.php?video=jgahnYYNPr4
If its the same one I will be there today to buy it
Thanks
u sold out?
faggets name: halleutla@aol.com
Thanks to all here for the save. Mine came from margokidd2529@aol.com.
Seems like they’re all aoHell addresses.
Happened to me too the useres name is dovie84976@aim.com….stay away from these creeps
Same thing from cassandraeydb@aol.com