Craigslist Car Scam Phishing Attack
[Nice first post from Christian, our newest analyst. When I heard him talking about this, I said, "You've got to write that up for the blog!" The story is now several days old, but when I asked him to check if we were still seeing traffic from this network, he confirmed that it's still active. --C.L.]
Email and phone number phishing scams are almost as common on the Internet as pictures of pets wearing hats or videos of people doing ill-advised activities. Craigslist is an excellent place to stumble upon these scams because of its ease of anonymity. I discovered a masterfully done scam designed to gather information from those looking to purchase a car off of the Craigslist Classifieds section.
The ads themselves appeared as perfectly innocuous ads, showing the car and standard information about it:
(Also note the randomized string in the bottom of the ad, since you have to enter SOME text for Craigslist to accept the ad.)
The title claimed it was being sold by a legitimate Used Car Dealership: in this case, BMW of South Atlanta. The entire ad posted on Craigslist was a giant picture that would helpfully send you to the “BMW of South Atlanta” webpage. Once there, you would have to register for the site by entering your name, email, and phone number, in order to see the price of the car. Sounds okay, but this is all a clever scheme to phish for your personal information. A quick Google search pulled up the REAL BMW of South Atlanta site. The fake site contains information from the legitimate site, with the only major difference in information being the phone number. For the fake sites to contain as much of the information the real sites did, they must have pulled the information from them, and then hosted it themselves on a server (which I eventually tracked down).
<-- Real Site
<-- Fake Site
Using information from our logs, I was able to track the fake ads to a large network of 20 IPs. Our automated systems had already linked those IPs together, so pulling all of their traffic using our SeeMore system was simple and quick. The final result from the IPs correlated to over 2700 sites, most of which were just randomly generated subdomains on a set of 26 unique parent domains. The automated process was so accurate that it caught not only the fake sites themselves, but also the content servers that were hosting all of the pictures and functioning as the redirectors! Since the Bad Guys ran such an incredibly clean scam network, it might as well have had a bow on top.
We've now got the entire network in the Malnet Tracker [so it's officially now a Scamnet Tracker, as well as doing Malnets and Spamnets...], hopefully protecting people from falling victim to the scam.
Thanks for reading!