Amusing Craigslist Phishing

The best way to double check that the page you are visiting is a legitimate page and not a phishing site, is to verify the domain name in the address bar (obviously, this does not work in case of DNS hijacking). Phishers have used a variety of techniques to make the URL look legitimate, like using http://login:[email protected] with a login name that looks like a legitimate domain.

I was amused when I saw a Craigslist phishing campaign last Friday. The phishing page ironically warns users about fake Craigslist pages. It tells people to always double check the URL before entering their credentials.
 

Craigslist phishing page claims to educate users on ... phishing sites!

If you didn't notice on the screenshot (click on the image to see it in its original size), the phishing page tells users to check the domain name at the end of the URL instead of the beginning.

Indeed, the phishing page that I spotted used a URL ending with what looks like a legitimate domain name: hxxp://69.175.106.6/~feacosa1/nozit/accounts.craigslist.org/.

The phisher is hiding the phishing page behind two other domains: URL shortener(s) redirect to different pages on free hosting sites which then redirect to the phishing page. It is a "smart" redirection in the sense that real users are redirected to the phishing page whereas URL shorteners are served with a regular page that looks legitimate. Even if the URL shorteners use a denylist to prevent abuse, they cannot apply it on the real final destination.

 

Spam page to hide the phishing page from security tools

Here are some of the domains used for the redirection:

• npzut81.125mb.com
• fdabbe61.batcave.net
• pziut318.batcave.net
• nipxuto11.125mb.com
• hpasut81.tekcities.com

This brought to my attention the fact that in addition to telling my friends to always check the URL and the domain name, I should also remind them where the domain actually is!

-- Julien