I’ve just being targeted by an interesting malware attack on Craigslist.
The attack works as follows. I am a legitimate user of Craigslist and I
have just posted an announcement to sell an item. A few hours later, I
receive an email asking:
u still offer?
I reply back back that the item is still available and again after a few
hours I get the following email:
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can't afford another mistake as i did in the past.
Please check the video and confirm that it's the same u have.
http://fav-vid.com/playvideo.php?video=jgahnYYNPe0
If its the same one I will be there today to buy it
Thanks
Mmmh, fairly generic message (no reference to the actual item I’m
selling) and a “vid” link… Smells phishy. Just to be sure, I follow
the link and after a few redirects I wind up on
http://favvids.net/playvideo.php?video=jgahnYYNPe0&feature=youtube_gdata&name=my_stuff
The picture above shows a screenshot of this site.
Notice the fake notification bar on the top that resembles the one used
by Internet Explorer. Of course, it turns out that we need a “player”,
the FLVDirect Player, to
actually watch the video. Sounds familiar…
If I try to download the player, I am redirected to another site,
www.flvpro.com, which finally sends the binary.
The binary has fairly high detection on
VirusTotal (12/41 at this time).
Another curiosity: if one arrives on the site referenced in the email
with JavaScript disabled and attempts to download the player, he gets
redirected to www.thislinkhasbeendisabled.com, which laconically
announces:
This link has been disabled
It was surely a throw-away address, but as a reference, the original
sender on Craigslist was allenekf6dok3z@aim.com.
Stay away from this guy and these sites…
View full post on Marco’s Blog
Related Posts
- Caveat Emptor: Malware Links in Craigslist Ads
Yesterday, over 40 Blue Coat Web Filter customers went boat shopping on Craigslist.How do I know this? Well, there were 42 requests to a malware domain that was being used in Craigslist ads all over t... - Osama bin Laden dead – so watch for the spams and scams
Google's top-trending Anglophone search term right now is, understandably, "osama bin laden dead". Google officially describes its hotness (you couldn't make this stuff up) as volcanic.The short versi... - Remove Antivirus Center (Uninstall Guide)
Antivirus Center is a rogue anti-spyware program from the same family as Internet Protection. This malware is installed onto your computer through the use of fake scanner pages and Trojans that preten... - Compromised ads leading to TDSS rootkit infections
As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and s... - Data thefts far more common than just Sony and Epsilon
In the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover ... - Be Careful If Searching For Images of Kate Middleton’s Dress
Real-world events occasionally generate a massive number of online searches. Japan's recent earthquake and the subsequent tsunami that followed is a good example of a sudden event that turned the worl... - IME Injection Evolution
Recently,we found many malwares using a smarter way to inject the specified dll into system related to IME management. Comparing to the old IME injection tricks, it is much more difficult to be discov... - FBI takes on Coreflood botnet – but is this a step too far?
Two weeks ago, the Federal Bureau of Investigation (FBI) obtained a court order in Connecticut, USA. This court order allowed the FBI to undertake an anti-cybercrime operation of a sort which had neve... - Free anti-virus for Mac named Best Anti-Malware solution at SC Awards
Who would have thought it? A free anti-virus program for Apple Macs being named best anti-malware solution ahead of those security products for boring old Windows.Well, that's exactly what happened at... - A case of malware starring Mario. or should it be Wario?
I always find it interesting to know what goes on in cyber criminals' minds.Lately I've been observing a deluge of websites being hacked and serving drive-by downloads in the form ...
Posted on 03 July 2010. Tags: Craigslist, craigslist malware, favvids net, Malware, watch-stuff net, watch-stuff us
I got the same e-mail from:
charlenegyf224@aim.com
That same thing happened to me today! I replied by saying i couldn’t open the link. the first message they sent me was, “I’m Interested!”
chantelleftlp9 is the email i got mine from.
same thing happened to me 7/14 by chantalzo@aol.com
Got the same thing from jaquelinehw@aol.com.
It’s too bad this is happening. It ruins great sites like Craigslist for the rest of us.
JUST GOT THIS EMAIL REPLY AFTER JUST ASKING THEM TO CALL OR TEXT IF INTERESTED IN THE ITEM AND ONCE THEY DECIDED TO EMAIL BACK I KNEW SOMETHING WASN’T RIGHT SO I SEARCHED AND FOUND THIS SITE AND ALL THE PEOPLE WHO HAVE RECEIVED THE SAME STUFF. HELPED ME OUT A LOT IN FINDING OUT WHAT IT WAS.
HERE’S THE MESSAGE THEY SENT ME :
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://watch-stuff.net/playvideo.php?video=jgahnYYNPr4
If its the same one I will be there today to buy it
Thanks
IT CAME FROM THIS EMAIL ADDRESS
“tonya42637@aim.com”
lyn09812@aim.com to me
show details 10:38 AM (19 hours ago)
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://watch-stuff.net/playvideo.php?video=jgahnYYNPr4
If its the same one I will be there today to buy it
Notice that jgahn is a constant, even though the ending changes
Same deal.
molek63asrsb7@aim.com
Funny thing is, I’m on a Mac, so it wouldn’t have done anything to my system. I clicked on it anyway, and cliked on the link to download the file, but it sent me to Google instead. Heh…
Same thing happened to me, thanks for the heads up:
From: merrill20561@aim.com
mailed-by aim.com
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://fav-vid.us/playvideo.php?video=jgahnYYNPg5
If its the same one I will be there today to buy it
Thanks
I got:
http://fav-vid.net/playvideo.php?video=jgahnYYNPe0
Seems all emails are from aim.com addresses. I’ve been meaning to block all aim mail, its all garbage.
Same here…
tomidavis536@aim.com
Craigslist may think it’s retro cool to not update the look of their site for 10 years, but man it would be nice if they spent some energy making it more difficult to scam people.
looks like all these phishing attempts are originating from @aim or @aol addresses.
Mine came from renita1832@aol.com
Got the same from
johnniedowd824@aol.com
same thing…happened today
“wenonamelnick985@aol.com”
I got this one today from brandieuwg0@aol.com.
The link used was: http://fav-vid.us/playvideo.php?video=jgahnYYNPs6
Thank you for getting back to me.
Same thing from timothynorton358@aol.com
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://fav-vid.us/playvideo.php?video=jgahnYYNPs6
If its the same one I will be there today to buy it
Thanks
Same story….below. List this bitch on your block senders list. colenezw214@aol.com
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for. I can’t afford another mistake as i did in the past. Please check the video and confirm that it’s the same u have.
http://fav-vid.us/playvideo.php?video=jgahnYYNPs6
If its the same one I will be there today to buy it
Thanks
Just got one. This site was the first with a reference to it.
message received from aileen82790@aol.com with a request to visit ==>
http://fav-vid.us/playvideo.php?video=jgahnYYNPs6
How do you know when or if the malware was installed? when you click the link? I did it by accident. how do I check/recover? Thanks.
same crap from
rebeccachacon60@aol.com
anprop@aol.com
I got the same thing today from juliapxhq@aol.com.
I did click the link (although firefox tried to block it) and got to the site, however I was not stupid enough to click the download link.
Do you guys think my computer will still be infected? I’ve already erased my cookies and ran a full system scan on Norton.
dejabarrera4187@aol.com – another email account running this scam
Same stuff here today:
Sender: alyciadowdell974@aol.com
Target URL: http://fav-vid.us/playvideo.php?video=jgahnYYNPs6
Follow the URL with a legit AgentString and your favorite version of CURL and you eventually end up on http://favvids.net/playvideo.php?video=jgahnYYNPe0&feature=youtube_gdata&name=my_stuff, which tries to get you to click through to http://www.flvpro.com/?aff=3090_generic to get your malware for the day…
just got mine and it looked way too suspicious so i found this site rather than follow that link. Thanks for posting this. Now i want to hurt them.
My reply came from angellacoons959@aol.com
Thank you for getting back to me.
I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.
http://fav-vid.us/playvideo.php?video=jgahnYYNPs6
If its the same one I will be there today to buy it
Thanks
I have run into a very simuar problem. Thank you for the post. This time it took me to http://www.zuiom.com/msc01/
Different user but same scam.
I got:
——————————————————————-
Hi I am Beverly,
I would like to talk to you about the item you have on sale. I?m interested in buying it.
Thanks,Beverly.
——————————————————————-
…and then after I replied:
——————————————————————-
Hi…good to hear back from you.
Please check the below video and confirm that it’s the same u have.
http://video-fav.net/playvideo.php?video=98kjgahnYYNPji0
I don’t want to make another mistake as before.
If its the same one I will be there today to buy it!
Thanks ,
——————————————————————-
…from “chrystelle labrie “.
Same scam here from corinelabrie4342@yahoo.com .
My first response was from rachelmathysfijn@hotmail.com, when I answered the original question 2nd reply came from betteziebaokxu@hotmail.com. Immediately made me suspicious so I searched and found this site.
Got the same:
Appreciate it for getting back with me.
Sorry about that, My email was,
I’m very intrigued in this but before I invest in it i would like to find out if its the exact one I’m hunting for. Because I can not afford another mistake. Just check out this footage here I published and let me know.
/play.php?pid=dsa1e5fas5yui4op&?name=special_products-forall
If its the identical one I will be there immediately to buy it.
Appreciate it.
Sent from pollywildaycvnv@hotmail.com
First e-mail from:
Scotty PICKREN
Second e-mail from:
Richard BURTCH
This has happened to every Craigslist ad I have posted, but from different e-mail addresses.
I got the same one that the first one is (name) Shawn KNOY (email address) of shawnknoybovj@hotmail.com So I sent a reply telling him I doubt this is real but I will play along. When I got HIS REPLY it came from a different email address of rodgeryarboughkfaq@hotmail.com and the name of Rodger YARBOUGH. So after I played along and went to the site READY for something, I of course was able to block everything out. But I STILL sent him a reply back saying Yes I looked at it and it IS NOT the one as you got before and asked him if he wanted to pick it and if so when ? I’m waiting for a reply back now. Grin. I figure the more time he spends with me, the less time he can spend with someone who is not as informed as I am. Yes there is a possibility that I will get something, but this is kinda fun.
Dan
@Jeff, Darin F, Dan: Could you please forward the malicious email to admin[at]computersecurityarticles.info ? Thanks!
Got it today as well from… “felipequezairekdmp@hotmail.com” trying to sell an audio reciever.
Any Tosh.O fans out there will respect my reply.
My reply:
Thats great. I can tell you this is deffinatly the reciever you are looking for without going to your fake malware site. Contact me when ready to buy.
This this is like the energizer bunny.. still going and going..
Mine came from… nickynickywigglesworthulqq@hotmail.com adn the link point to… http://favvids.net/my_stuff.php
I didnt even go to see what was there.
mailed-by hotmail.com
Appreciate it for getting back with me.
Sorry about that, My email was,
I’m very intrigued in this but before I invest in it i would like to find out if its the exact one I’m hunting for. Because I can not afford another mistake. Just check out this footage here I published and let me know.
/play.php?pid=dsa1e5fas5yui4op&?name=special_products-forall
If its the identical one I will be there immediately to buy it.
Appreciate it.
1/27/2011, got a similar message from “reidrogersonxpzd@hotmail.com”.
Appreciate it for getting back with me.
Sorry about that, My email was,
I’m very intrigued in this but before I invest in it i would like to find out if its the exact one I’m hunting for. Because I can not afford another mistake. Just check out this footage here I published and let me know.
/play.php?pid=dsa1e5fas5yui4op&?name=special_products-forall
If its the identical one I will be there immediately to buy it.
Appreciate it.
Mine was the same. I reported them to hotmail as using hotmail to spread a virus.
Let’s shut the scumbags down. Report them to EVERY email provider they use.
I got a couple today too, with the same verbage. The first was from:
Humberto MONGE
humbertomongeyorp@hotmail.com
It just said “I’m interested”
When I replied I got the second email from:
Christoper KNOBLER
christoperknoblerisel@hotmail.com
Appreciate it for getting back with me.
Sorry about that, My email was,
I’m very intrigued in this but before I invest in it i would like to find out if its the exact one I’m hunting for. Because I can not afford another mistake. Just check out this footage here I published and let me know.
/play.php?pid=dsa1e5fas5yui4op&?name=special_products-forall
If its the identical one I will be there immediately to buy it.
Appreciate it.
I don’t like clicking on unknown/unsolicited links so I went looking and found this article. Thanks so much for publishing.
sungfeaganwbnx@hotmail.com
1/28/2011 got a similar message with a twist:
First email was: lennylatskoutdq@hotmail.com
Second email was: marlinmcmeekinsbkb@hotmail.com
Second message had a half way appology for the email:
>Appreciate it for getting back with me.
>Sorry about that, My email was,
>I’m very intrigued in this but before I invest in it i would like >to find out if its the exact one I’m hunting for. Because I can not >afford another mistake. Just check out this footage here I >published and let me know.
>/play.php?pid=dsa1e5fas5yui4op&?name=special_products-forall
In order to see the link, Right click and View Source:
/play.php?pid=dsa1e5fas5yui4op&?name=special_products-forall
Thanks
Source:
//favvids.net/my_stuff.php” target=”_blank”>/play.php?pid=dsa1e5fas5yui4op&?name=special_products-forall
Traced back to FRANCE
I just got one, too. No doubt those are all fake e-mail addresses–i.e., not real people, at least the ones using those names. The rule to follow is this: If someone responds to your CL ad and asks you to click on a link in their e-mail, NEVER click on it! Do a Google (or Yahoo) search for the url. Additionally, two things can help guide you about safe sites: McAfee SiteAdvisor, and WOT (Web of Trust)(an add-on for Mozilla Firefox). If you don’t have them, check them out!
First received response to my posting on craigslist as a question from Emily Johnson [laciegunyancvqr@hotmail.com]: “$5″. When I replied to that one, I got this one from Emily Johnson [lilianaticklerdak@hotmail.com] that said:
“Thank you so much for getting back with me
sorry about that, My e mail was,
I’m very interested in this but just before I pay for it I want to know if its an identical one I’m looking for because I can’t afford a second slip-up Please make sure to check out this footage here I published and let me know
/play.php?pid=dsa1e5fas5yui4op&?name=Exospore_special_products-forall
If its the same exact one I will be there as soon as possible to grab it
Thank you”
It just seemed suspicious so I turned it in to Craigslist and “goggle’d” the link to see what I could find. That’s when I found this blog.
Just wish there was some way to pound people who waste my time and try to take advantage of people who might not think their messages suspicious!!!!!
I got the asme reply & the same link. Microsoft Security Essentials deemed it unsfe, so obviously I didn’t download it. A good point is the generic reference to the item, rather than speicifcs. I thought the email seemed odd, especially the part about how they will be there to buy it today. i’m selling a ping pong table, and i had images with the brand name of the table, so the fact that they couldnt tell if it was what they were looking for seemed odd enough anyhow. Here is the address of the first email address;
Emily Johnson
and the follow up email address;
Emily Johnson
“Jessica Brown” This one sent the video link to me.
Jessica Brown p_articiageorglosxr@hotmail.com Take underscore out of email addy. Weird that it would print on the first post.
Thank you for getting back with me
sorry about that, My e-mail had been,
I’m very intrigued in this but prior to I pay for it I need to find out if its the exact same one I’m interested in because I can not afford a second slip-up Please be sure to check out this footage here I submitted and let me know
/play.php?pid=dsa1e5fas5yui4op&?name=Cantraps_special_products-forall
If its the same exact one I will be there as soon as possible to grab it
Thanks a lot
I originally got the exact message as everyone else except I have 2 seperate email addresses from the same person.
I would believe that the 1st email was the real persons email the 2nd is the fake!
Gotcha, hahaha!
1st email=victorgruzfhty@hotmail.com
2nd email=augustinefiaschettiguig@hotmail.com
Appreciate it for getting back with me.
Sorry about that, My email was,
I’m very intrigued in this but before I invest in it i would like to find out if its the exact one I’m hunting for. Because I can not afford another mistake. Just check out this footage here I published and let me know.
/play.php?pid=dsa1e5fas5yui4op&?name=special_products-forall
If its the identical one I will be there immediately to buy it.
Appreciate it.
paulreitmanalma@hotmail.com, AND marchamielidtu@hotmail.com are hot. I was so sad. The message was the same as above.
Stupid.