Trojan targets Craigslist users with spam

Craigslist has made some strides over the years in protecting its users from Internet predators, but for some hackers those strides are just another challenge to be surmounted.

That's the case with a Trojan aimed at the online classified advertising service and revealed Monday by Solera, a Blue Coat company.

TheÃ'Â malware is ending up on the computers of unsuspecting users who click an infected link they encounter on the Internet, expecting to receive an update to a fictitious program called Adobe Photo Loader.

After infecting a machine, the malware transforms the computer into a zombie for a botnet making spam postings to Craigslist for a program called Stealth Nanny. The Android app is designed to be planted on a person's phone so all their activity on the handset can be monitored by a snooper.

"We don't see a lot of spam on the service, but when we do, it's interesting because it's stuff that has figured out a way to get around these roadblocks set up by the guys running the site," Solera's Director of Threat Research, Andrew Brandt, said in an interview.

When this Trojan contacts Craigslist, it's armed with information sent to it by the command and control (C&C) server running the botnet that enables it to set up an account on the service and post the advertising copy for Stealth Nanny.

Before a listing can go live on Craigslist, its sponsor must verify it by email. The email confirmations for the ads posted by the Trojan are forwarded to it by its C&C server. "The bot then parses the Craigslist activation links, return them as a click through a browser without the browser user's knowledge and make the post go live," Brandt explained.

"It's a complicated mechanism that they've rigged up," he said. "It's amazing that it works, but it is quite functional."

The master of the zombie network has taken measures to keep the scheme off the radar of Craigslist spamÃ'Â fighters, Brandt added. "He'll do one post a day per infected machine."

[Also see: FBI warns commercial spyware has made jump to Android]

The limited nature of the malware is also probably keeping its profile low. "It's a very bespoke malware for this specific purpose of just posting to Craigslist," Brandt observed.

"And the only thing we've seen it posting to Craigslist," he continued, "is this advertisement for this software that monitors cell phones."

Brandt added that he suspects that the maker of the software is also connected to the malware. All but one domain connected to the scheme was "private," he said. That one identifiable domain, however, contained a name, city and state that matched the same information in Stealth Nanny.

"It's clear to me that they're connected and entirely possible that the same person is responsible for Stealth Nanny and the malware," Brandt said.

Although the malware has a highly specific purpose now, once a machine is infected, the bad app could be repurposed for greater malignancy in the future. "Anytime a computer is infected with malware, the box is owned by someone else and they can use it to do all kinds of different things," Brandt said.

Mike Gross, director of professional services and risk management at 41st Parameter, said thatÃ'Â credential theft is always a possibility with this kind of malware. "The biggest risk is always key loggers that essentially give the attackers access to any account where the legitimate user enters a username-password combination online," he told CSOonline.

In addition, since the botnet is controlled elsewhere on the Web, it likely has an auto-update function for downloading and modifying what's on an infected machine. "An auto-update feature would make the possibilities of danger endless for the infected device," said Tommy Chin, a technical support engineer with Core Security.

Craigslist did not respond to a request for comment for this story.

"Craigslist is a relatively open environment, with no strong validation of posts," Gross said. "It relies on users to post legitimate classifieds. Its primary form of policing spam is by user feedback, which is very reactive."

The online classifieds service is also largely free, which may also be contributing to its being a target of Internet lowlifes. "It's much easier to target a free service than it is a paid service," Chin said. "Free services require much less verification on the user's part."

"The site is also still in its infancy in regards to anti-spam and security practices," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Craigslistspamantispamapplicationslegalsoftwarespywaretrojandata protectioncybercrimeData Protection | Malwaresecurity

More about Adobe SystemsAndrew Corporation (Australia)Blue Coat SystemsFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts