Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Amusing Craigslist Phishing

August 17, 2011 - 2 min read
The best way to double check that the page you are visiting is a legitimate page and not a phishing site, is to verify the domain name in the address bar (obviously, this does not work in case of DNS hijacking). Phishers have used a variety of techniques to make the URL look legitimate, like using http://login:[email protected] with a login name that looks like a legitimate domain.

I was amused when I saw a Craigslist phishing campaign last Friday. The phishing page ironically warns users about fake Craigslist pages. It tells people to always double check the URL before entering their credentials.
Craigslist phishing page claims to educate users on ... phishing sites!

If you didn't notice on the screenshot (click on the image to see it in its original size), the phishing page tells users to check the domain name at the end of the URL instead of the beginning.

Indeed, the phishing page that I spotted used a URL ending with what looks like a legitimate domain name: hxxp://

The phisher is hiding the phishing page behind two other domains: URL shortener(s) redirect to different pages on free hosting sites which then redirect to the phishing page. It is a "smart" redirection in the sense that real users are redirected to the phishing page whereas URL shorteners are served with a regular page that looks legitimate. Even if the URL shorteners use a denylist to prevent abuse, they cannot apply it on the real final destination.

Spam page to hide the phishing page from security tools
Here are some of the domains used for the redirection:
  • npzut81.125mb.com
  • fdabbe61.batcave.net
  • pziut318.batcave.net
  • nipxuto11.125mb.com
  • hpasut81.tekcities.com

This brought to my attention the fact that in addition to telling my friends to always check the URL and the domain name, I should also remind them where the domain actually is!

-- Julien
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.