I’m confused. I received a bunch of different emails from Craigslist that are posting confirmation receipts for things I actually haven’t put up for sale on Craigslist. I clicked on the link to see what was going on and all I got was a “loading” message, and it wasn’t even on the craigslist.com domain. What’s it all mean, Dave? Is this some sneaky Craigslist phishing attack from some cybercriminals, or a script virus or what?
Okay, we’ve gone through this before plenty of times. If you get an email that seems at all odd or inexplicable, you really need to make the assumption that it’s a scam or hustle of some sort and not click on the links. Sometimes it’s pretty obvious what’s going on, like a notification of your account being suspended from an organization you aren’t even associated with, like a bank.
Other times, however, it is possible, albeit not likely, that the email is legitimate. I mean, it sounds like you have listed at least one thing on Craigslist at some point in your life, so you weren’t unfamiliar with the email that was sent. And that, of course, is the game that all these cybercriminals, hackers, bad guys, whatever you want to call them, are playing. It’s just as easy to send 500,000 messages as 50, so if there’s even a 1% chance that a recipient will find it legit, they could get hundreds or thousands of people to click on their links.
If it’s a phishing attack, the resultant page will look legit and have some believable error message on it like “Please log in before proceeding…” and then if you’re not paying attention, you enter your account and password. An error ensues “Validated. Please enter again to confirm” and it then switches you to the real site. You blissfully proceed, never realizing that the first of those login screens was just some PC in a basement somewhere, harvesting account credentials. Ugh.
Worse, though, are when they’re script attacks because then you don’t see anything particularly problematic, just a “working” or “confirmed” or similar message. Done. No worries. Right?
Wrong.
Let’s dig into this particular attack and you’ll see what’s going on. And then regret clicking on that link and, yes, it’s time to run some antivirus scanner!
First off, here’s one of the many bogus Craigslist messages I’ve received:
Looks pretty legit, doesn’t it? Even to the friendly “if you’re experiencing problems” section.
I didn’t, of course, actually post that I have a screwdriver set for sale. I don’t even own a screwdriver set, let alone a “screwdrivers kit”. Hmmm….
Moving my cursor over the link reveals what’s going on:
The domain “mainart.cn” is most assuredly not a part of Craigslist, so it’s very odd. Still, as a scientist, I’ll go ahead and click on it anyway, to see what happens.
It takes me to a page that shows this:
The item posting ID is wrong and the name of the item listed is wrong, but that’s not the issue. The issue is “what’s going on while it says “please wait…?”
As a first step, I simply went to the top level http://www.mainart.cn/ site, which shows this:
It appears to be a service where they make paintings out of photographs. Okay. I’m 99.9% sure that it’s a legit business and they have no idea that there’s this nefarious code hanging off their site, actually.
The fact that it says “100% Safe” is just irony, I suppose.
Back to the page that the bogus email sent us to, the answer is revealed when I View Source on the page:
Ahhhh…. that is most assuredly not good. Not good at all. The script is obfuscated so it’s not easily read (I chopped out about thirty lines of digits, btw) and it’s doing something suspicious to any user who is daft enough to click on the link.
Probably, it’s a virus being injected into the system.
So while you’re waiting for the posting to “load”, the page is actually pushing a virus onto your system. Yikes.
I’ll say it again, gang. Do not click on links from messages that are even the slightest bit suspicious or odd. It’s way too dangerous.
Oh, and you really need to scan your system for viruses. Good luck.
While trying to figure out just what the link would do, my anti-virus program (AVG) kept “getting in the way”. I suppose that’s a good thing the other 99.99% of the time. 🙂
Even while trying to access the page from an “unprotected” VM on my system, AVG kicked in on my “real” computer. (I probably should have written down what AVG said the malware was, but I didn’t think to do so at the time.)
But, your advice is spot on — don’t click. In a case like this, assuming you even have a Craigslist account, log in to the account the usual way, and then try to find the item in question.
I’m getting to the point where I will never, ever click on a link in an email.
Thanks for the info. That’s wild.