Craigslist, the online classified advertisements website, is not only the world’s most popular classifieds website but also one of the most popular websites on the internet. The site receives billions of page views every month and is in the top one hundred most visited websites in the world – the twelfth most visited website in the United States. When it was founded it provided the Internet with a much needed platform for advertising, selling and exchanging goods, and its emphasis on functionality over design made it the success story it is today. Craigslist does one thing and one thing very well.
However, for many of the same reasons Craigslist is popular with the wider public, it is also very popular with scammers and fraudsters (any regular user of Craigslist will attest to this). Anywhere that people congregate, whether in the real world or online, is a haven for the malicious intent of such individuals and organisations. So it is no surprise that Craigslist is regularly targeted by nearly every scam in the book. In particular, and the topic of this blog, is the persistent attempts by scammers to defraud or steal personal and sensitive information from registered Craigslist account holders by sending phishing SMS text messages (sometimes referred to as SMSishing). A favourite social engineering technique amongst scammers, phishing is an effective way of prompting users to divulge their personal information. The SMS, in this context, being the “bait” so to speak. It is also very likely that recipients of these spam messages are registered Craigslist account holders as spammers have been known to harvest phone numbers directly from the Craigslist website.
These SMS phishing text messages take many forms. The most common of these forms are messages purporting as being:
1. From Craigslist - If the SMS phishing text message says it's from Craigslist (team, support team etc.), it will more than likely state something about unauthorised activity on the account or that the account has been blocked/suspended and needs to be verified by the user by logging into their account (from the link they provide in the message).
2. From other Craigslist account holders - If it is purporting as another Craigslist user, it will usually be a general enquiry about a listing (as shown below). In both cases, the SMS will nearly always contain a URL directing a fake Craigslist login page. These URLs are craftily chosen to mimic an authentic Craigslist URL and will generally contain an abbreviated and tweaked form of the word craigslist as can be seen in both examples below. It is more common to see SMS phishing attempts using the format illustrated in the second example below as Craigslist users often post their phone numbers online and will be used to receiving similar messages of this type on a daily basis. It is also more likely that users will be deceived by this. Also, if you look at the URL you can see that URL contains the US State Alaska. Genuine Craigslist URLs will often contain a place name in the URL– such as http://anchorage.craigslist.org or http://newyork.craigslist.org
If you were to click one of these URLs, you would see that these fake Craigslist login pages aren’t exactly the pinnacle of web design, but neither is the actual Craigslist login page for that matter. In fact, the Craigslist login page is far from sophisticated and is a basic as a webpage can be. This is a contributory factor in the popularity of Craigslist as a phishing target because the webpage is so easily replicable. The first screenshot shows the real Craigslist.org login page and the image to the right shows a fake Craigslist login page, you’ll notice that there is little difference between the two. The only notable differences are the URLs, the word Craigslist in place of the official CL logo, a menu icon on the fake page which is not on the real page and the use of a secure connection ( "https" indicated by the little green padlock in the browser bar). One can understand how someone might fall for this as these small irregularities can be easily overlooked.
Real Craigslist site v phishing site
These phished login details can be very lucrative for scammers for a variety of reasons - they wouldn’t run these campaigns if this wasn’t the case. Once they have these details they have access to the user’s Craigslist account. From here they can conduct various nefarious scams. Often they will use the account to send spam to other users on the site. Craigslist users whose accounts have been compromised have reported that their postings were hijacked and altered - likely to defraud the respondents of these postings and to post their own ads/spam. Masquerading as the victims of their phishing, one of their favourite methods is to arrange payment for an item through PayPal, sometimes sending fake PayPal payment confirmation emails for listings or other times sending links to PayPal phishing sites. These phished login credentials could also give scammers access to other accounts belonging to the user. For example, most Craigslist account holders use their email address as their username, and it wouldn’t be surprising if people used their email password as their Craigslist password (this is actually very common, as this one study showed). This will give the scammers access to their email account, and having access to someone’s email address can give them access to a whole host of other accounts.
At AdaptiveMobile, we block Craigslist SMS phishing messages on an almost daily basis and have seen a steady increase in the numbers of these messages being sent over the last few months. To give an example of the scale - last month we blocked several hundred thousand Craigslist related messages. The vast majority of these phishing messages originate from over-the-top carriers (OTT) or VoIP carriers. OTT carriers have become very popular with spammers in recent years – the majority of all spam blocked by us last month came from OTT carriers using SMS services. These services are favourites of spammers because they can send so-called Snowshoe spam - spam that, a bit like a snowshoe, can distribute the load over a large area to great effect (usually in short bursts - which makes blocking more difficult). The senders of these messages are very persistent and use thousands of phone numbers to distribute the spam to thousands of recipients. While there is no way to be certain, the targeted recipients of these messages could well be actual Craigslist account holders whose numbers have been taken directly from the official Craigslist site as mentioned earlier in this blog. We have visualised in the past how spam differs from OTT carriers and 'traditional' mobile carriers, but while the mobile carriers have been clamping down on spam, the OTT carriers spam levels have continued to stay high. Plus, with Craigslist apparently not proving to be very effective either at tackling these scams. It seems likely that Craigslist SMS phishing sent from OTT carriers will continue for some time.
If you believe that you have received a Craigslist phishing SMS be sure to report it to your cell phone service provider (AT&T, T-Mobile) and analyse carefully any Craigslist text messages you receive. As a rule of thumb, Craigslist will never send unsolicited messages asking for account information or for you to login to your account. Genuine Craigslist messages from other users containing a URL must have Craigslist.org in the URL (like the image below) and must land on the site Craigslist.org – Craigslist always uses this domain. If you are in doubt about a URL check the URL on a site like Whois.com to see who the URL is registered with and on what date the site was created on (phishing sites are normally only a few days old).
If you believe that you have been a victim of a Craigslist Phishing scam, see https://www.craigslist.org/about/help/phishing for more information.