The faltering economy has driven many people to look for alternative purchasing avenues. One of the most popular has become craigslist; an online marketplace that can be used for everything from bartering to selling old appliances and even finding new employment. As more people rely on craigslist on a daily basis, so have hackers who realize the potential money to be made by exploiting vulnerable users unaware of the many online dangers associated with craigslist and similar sites. Bartering on craigslist has become especially popular and is the avenue exploited in this dangerous attack. People are able to put up items that they no longer need in the hope of trading it for a different, useful item with other users. For the most part the system works exceptionally well, but criminals have discovered a new tactic that can trick even more adept users. In this case, a text message is sent as a reply to the craigslist ad offering to trade undisclosed items that can be viewed at a specific URL.
In this example, the URL used is hxxp://pixsend.org, although similar sites have also been found that work in the same fashion.
When an unsuspecting user visits the website and attempts to view the pictures, they are prompted to download a version of GIMP (an open source image manipulation program similar to Photoshop) in order to view the pictures. The site claims the photos are in a .gmp file format. GIMP images are actually stored as .xcf files and should be a red flag for those experienced with the program. Everyone else will download GIMP along with a host of other unwanted programs including the notorious Citadel Trojan.
Citadel is designed to circumvent most antivirus software and run secretly in the background without most users realizing they have been infected.
When these users attempt to bank online or enter sensitive information into a web form, the Trojan records the keystrokes and sends them to the hacker at a remote location. Bank accounts, PayPal accounts, and credit accounts at major retailers can quickly be wiped out once a hacker has access to this information.
Needless to say, the pictures are not real and cannot be viewed.
The hackers do add a nice touch by including bogus file names for other pictures such as “christmas-moms-dsc1022.JPG.gmp” which help add to the legitimacy of the Pixsend “file sharing” site. Although no drive-by downloads were detected at the Pixsend URL, this tactic could also be employed depending on the type of browser being used or operating system of the user’s machine. In any event, the Trojan is mixed in with approximately 100 other malicious files that range from annoying browser toolbars to other programs with unclear purposes.
As a final note about this threat, it is not limited to programs that scrape data from craigslist.
In many cases, a person actually combs through listings and manually contacts individuals. This has been proven by craigslist posters who randomize their phone number as a series of digits and words. These people have received text messages in addition to those who input their phone number in a format that is easily scraped using a variety of automated tools. There is nothing wrong with using craigslist as a tool to reach others in your community; just make sure to protect your information and your computer by being especially vigilant and not following any links given to you by a prospective buyer.