MailChannels has observed a webmail abuse attack that hit Google Mail (Gmail) users and has not been publicly disclosed by Google as of Friday. As with most targeted attacks, the intruders gain access to Gmail accounts and send short bursts of emails in response to Craigslist classified ads. These spoofing attacks successfully masquerade as a legitimate Gmail user, leading the target to fall for the trap and click a link to download a toolbar. The exploitation takes place when the malware is downloaded and installed, using a vulnerability in Microsoft's Internet Explorer.
How do I know if my account was broken into?
Craigslist users may reply back to falsified inquiries or Gmail users may discover approximately 10 emails from Craigslist Remailer Daemon stating:
"We've received too many mails from firstname.lastname@example.org in a short time span. Sorry, but no messages from email@example.com will be relayed for 24 hours."
A quick look at the Gmail Sent folder will confirm that on average 30 emails were sent from the compromised account in a 5 minute time period. This occurs at a time when the account is idle and the legitimate user is not logged in.
One hijacked Gmail user had this to say in the Gmail Help forum:
"I looked up 'recent account activity,' and there has indeed been two separate episodes of access into my gmail account that originated from two separate IP addresses, one in US and one in Saudi Arab. And needless to say both access times were correspondent to the two lots of spamming episodes."
What is in the email content?
found the Ad you put up on cl titled - "End Table with drawer" and I'm quite interested in getting this but I am not too confident if it's the similar type that my cousin is after. Here's a demo that I was able to cpy from my brother's Macbook URL1 or try URL2. Can you please ensure its the similar type and get back to me as soon as possible. I'm willing to pay a little more than what you put on for sale as long it meets the Vid description and you can put it on hold for me.
The URLs are obfuscated using URL shortener "short.to".
What if I'm the targeted seller of a Craigslist item?
The dead giveaway is that the email is signed by a different name from the sending email address. For example, the email will be signed at the bottom by Jessica, Julie or Sonya but the human-readable name is "John Smith" from "firstname.lastname@example.org". Of course, do not click any shortened URLs from untrusted sources.
What can users do?
It is not believed to be widespread at this time but it is good practice to update your security questions and create a new, stronger password every few months.
Stay connected to MailChannels by following us on Twitter. We will continue to provide updates on this event if there is anything of interest.