Monday, June 21, 2010

Urgent - possible Craigslist malware alert

I just came across something that looks very questionable, and am sufficiently alarmed about it that I am making this post without doing my normal research first. I have not heard about this particular malware distribution approach before, and I very nearly did a bad bad thing just a few minutes ago (i.e. allowing an unknown executable to download and run).

The story: I posted a number of things on Craigslist today, two of which were guitar amplifiers. I received two responses within minutes of each other, on those amps, from two completely different email addresses - one being a Hotmail account, and the other a Live account. Both have the exact same message body:
"Will you trade for this?"
In each email, that "question" was followed by a URL (which I am not publishing for obvious reasons). I clicked on the links, which have the form "www.hostsimages.info/" (followed by alphanumeric values), and both took me to the same final URL, which looks like this:


It's hard to see in the image, but the page looks like it has some images that it wants to load, but can't for some reason. Also, Firefox has posted a message in the yellow banner bar that says:

This website needs to install the following add-on: 'Flash Image Loader' from 'AdobeFlash'. Please download the Flash Image Loader by clicking here...

Now, I've never heard of "Flash Image Loader" but it sounds legitimate enough - what I didn't notice until later is that it is supposedly sourced by a company called "AdobeFlash". Hmmmm. Fortunately before clicking on the yellow bar, which would've downloaded a file, I looked at Firefox's status bar while hovering my mouse cursor over that message, and the actual download URL shown is "images201.com/imagex.exe". I have no idea what that executable is, but it sure isn't from Adobe and could literally be anything. (Googling "imagex.exe" comes up with a few things, but none of them have anything to do with Flash or Adobe.)

In sum, what seems to be happening here is that some people up to no good are (either manually, or more probably by using automation) monitoring Craigslist postings, and responding with an email that has been cleverly constructed to lead people to a malicious site that downloads an executable on their machines.

So - I think I dodged a bullet here. What is quite ironic is that on a recent episode of my favorite security podcast Security Now, Steve Gibson declared that he never ever clicks on links that he gets via email. I remember chuckling to myself when I heard that, because I do it all the time and haven't had anything bad happen - hey, I'm a smart guy that sees this stuff coming! Well, I learned a lesson today for sure.

Finally: speaking of "Security Now", Steve has a post up on his blog about a recently discovered Adobe Flash exploit that everyone - yes even you Mac types (and Linux types...) needs to know about and take the appropriate steps for. Acrobat and (Acrobat) Reader are also affected, and the bad guys are already taking advantage of it. You can read about that here.



5 comments:

  1. I posted a couple bicycles for sale today and about two hours later I got the exact same thing. I decided to do some googling before installing the mystery plugin, and thank you for having this blog entry! It seemed fishy and I'm glad it was corroborated by your post...

    ReplyDelete
  2. I can't say I was as fortunate. I don't know what it's going to do to my computer or information, but I tried to instal the add on. I don't know what to do.

    ReplyDelete
  3. I responded to an ad for a free TV set on the local (New Bern, NC) FreeCycle list. I got an email back saying "Here a picture of it here" followed by a URL that presents an image just like you posted with the heading "Here some pic's of the stuff I have." Note the "Here a picture..." and "Here some pic's...", not "Here is" or "Here are." If I were to click on the yellow bar, it would attempt to execute that same "imagex.exe" file (unlikely on my MacBook).

    All I can do is notify the local FreeCycle administrator of the offending ID.

    ReplyDelete
  4. I too responded to a post on my local Freecycle offering a MIG welder, to which I got a response, with link "pic8j.info/7809r" and the message "you can see a picture of it here"

    Clicking the link brought me to a similar page (actual URL was http://pic3me.info/j/y.htm)
    and a slightly typoed message "Here some pic's of the stuff I'm getting rid of."

    I thought it was suspicious, looked up Adobe Image Reader and found it was a paid Application, not an add on. Didn't open the exe file. Will report to the Freecycle admin.

    ReplyDelete
  5. I responded to a freecycle offer for a trailbike and got this message:

    OK here's some pictures of it. http://photos44.info/hj78dsfds

    The page title is "Here some pic"

    And it asked me to install AdobeFlash.

    I downloaded it to scan it but didn't run it. Norton has no clue about it being a bad thing, but I'm not trusting it.

    ReplyDelete