Cyber Defender placed ads in six Craigslist categories. Four of the ads received responses from phishing operations, each trying to trick the advertiser into revealing its private account information. Some of the responses arrived withing 24 hours of the ads' placement.
Typically, the phishing e-mails would direct the advertiser to a fake Craigslist web page in which they were instructed to enter the account information to confirm the their identity and/or ownership of the advertised items. With the private information collected, the phishing outfit would then follow up with a deluge of phishing attempts seeking eBay and PayPal login information, according to Achal Khetarpal, Director of CyberDefender Research Labs.
Below is an example of a fake Craigslist login page. Notice that the web address ends in cua.com instead of craigslist.org as it should.
Craigslist scams, like many online phishing attacks, aren't limited to taking your account information. They may also ask for personal information such as a Social Security number, or bank or credit card information, under the pretense of processing payment.
Khetarpal offers these tips for staying safe on Craigslist.
- Never click on any links in emails asking you to log into your Craigslist account. Instead, go to www.craigslist.org directly to access your account.
- Always use an email address created specifically for your Craigslist postings. You will be able to identify suspicious e-mails this way.
- Do not click on any links that potential buyers send to you If you get an e-mail asking for financial information, delete it right away.
- Only deal with local buyers. Scams involving supposed international buyers claiming they will wire the seller money for the item are still popular.
- Always be on the look out for "job" posting that seem too good to be true. Cyber-criminals often use these job boards to try and recruit money mules to launder illicit funds.
- Use an anti-phishing plug-in for your browser to help protect you from scams.
Khetarpal also recommends that if you believe you have been the victim of a scam that you file a complaint with the Federal Trade Commission at www.ftc.gov.