by David Michmerhuizen – Security Researcher
These services highlight items for sale or swap via web listings or email lists. When someone identifies an item that they are interested in they typically contact the offering party via e-mail with any questions, leading to an exchange of e-mails before the transaction is finished in person.
Malware distributors open accounts on these sites and offer some desirable item either for free or for some very attractive price. The contact email in the listing is actually serviced by software running an automated response script.
When someone sends an e-mail request regarding one of these fake listings, the e-mail responder immediately sends back a reply similar to this one…
There’s not much here to arouse suspicion. After all, they did send an e-mail asking for more information, right? The link in the email takes the unwary shopper to an attack website
The webpage appears to have some images that can’t display because ‘”Flash Image Loader” needs to be installed. The alarm bells should start ringing right now – downloading and running a program under circumstances like these is always a bad idea,. In this case it’s a particularly bad idea because the program has nothing to do with Flash or Images. It is a variant of Trojan.Clicker, a family of malware that hides on a target computer and generates fake web traffic which scams online advertisers. While the infected computer may seem normal (although the images never do display), the program works behind the scene pulling up bogus web pages and then claiming credit for delivering ads embedded on those pages.
Early in the infection process the Trojan retrieved the following configuration file…
Although the Trojan only generates web traffic at this time, the configuration-driven implementation suggests the possibility of further exploits being delivered to the compromised computer.
This sort of attack appears to have been present on Craigslist for some time and is only now targeting Freecycle users all over the country. It is particularly dangerous because the attack email is not unsolicited. The target actually requests the e-mail be sent and is expecting it, so their defenses are lowered. These e-mails are not typically caught by anti-spam technologies because they are targeted and low-volume. Business networks are very much at risk because employees often monitor these sites while at work.
Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.