Monday, June 21, 2010

Urgent - possible Craigslist malware alert

I just came across something that looks very questionable, and am sufficiently alarmed about it that I am making this post without doing my normal research first. I have not heard about this particular malware distribution approach before, and I very nearly did a bad bad thing just a few minutes ago (i.e. allowing an unknown executable to download and run).

The story: I posted a number of things on Craigslist today, two of which were guitar amplifiers. I received two responses within minutes of each other, on those amps, from two completely different email addresses - one being a Hotmail account, and the other a Live account. Both have the exact same message body:
"Will you trade for this?"
In each email, that "question" was followed by a URL (which I am not publishing for obvious reasons). I clicked on the links, which have the form "www.hostsimages.info/" (followed by alphanumeric values), and both took me to the same final URL, which looks like this:


It's hard to see in the image, but the page looks like it has some images that it wants to load, but can't for some reason. Also, Firefox has posted a message in the yellow banner bar that says:

This website needs to install the following add-on: 'Flash Image Loader' from 'AdobeFlash'. Please download the Flash Image Loader by clicking here...

Now, I've never heard of "Flash Image Loader" but it sounds legitimate enough - what I didn't notice until later is that it is supposedly sourced by a company called "AdobeFlash". Hmmmm. Fortunately before clicking on the yellow bar, which would've downloaded a file, I looked at Firefox's status bar while hovering my mouse cursor over that message, and the actual download URL shown is "images201.com/imagex.exe". I have no idea what that executable is, but it sure isn't from Adobe and could literally be anything. (Googling "imagex.exe" comes up with a few things, but none of them have anything to do with Flash or Adobe.)

In sum, what seems to be happening here is that some people up to no good are (either manually, or more probably by using automation) monitoring Craigslist postings, and responding with an email that has been cleverly constructed to lead people to a malicious site that downloads an executable on their machines.

So - I think I dodged a bullet here. What is quite ironic is that on a recent episode of my favorite security podcast Security Now, Steve Gibson declared that he never ever clicks on links that he gets via email. I remember chuckling to myself when I heard that, because I do it all the time and haven't had anything bad happen - hey, I'm a smart guy that sees this stuff coming! Well, I learned a lesson today for sure.

Finally: speaking of "Security Now", Steve has a post up on his blog about a recently discovered Adobe Flash exploit that everyone - yes even you Mac types (and Linux types...) needs to know about and take the appropriate steps for. Acrobat and (Acrobat) Reader are also affected, and the bad guys are already taking advantage of it. You can read about that here.