Spear phishers target Craigslist users

Spear phishing is quickly becoming the favorite way for cyber intruders to gain access to company and government systems.

But even private individuals aren’t safe, and a spear phishing attempt coming from a rather unexpected source recently reported by Microsoft researcher Nikola Livic has really made me realize that you should never take your guard down.

In short, he wanted to sell and old car through Craigslist, and one of the prospective buyers – one “Amanda Q. McComb” – wanted to know some more. Livic replied with some details, and received this message back:

He followed the link and was faced with a spoofed Craigslist account login page. A look at the URL confirmed it – it was definitely a spear phishing attack.

If you think that your compromised Craigslist account can’t be misused much by a malicious individual, consider the fact that this person is privy to all the activity on it – what you are buying and selling, which people you are interested in dating or what activities you like.

All this information can come in hand when mounting further spear phishing attacks or for successfully engaging in identity theft. It could also help the malicious individual guess your passwords for other online services and email account – that is, if you haven’t already made the mistake of using the same password everywhere.

“Criminals can phish with near-impunity — one of the reasons these types of attacks are prevalent,” says Livic.