I tried to think up an appropriate bon mot about a platform like Craigslist getting hacked based upon how old and basic the platform is in comparison to “modern” services, but frankly, their easy-to-use and barebones approach strikes me as a rare unicorn in a world full of apps that (try to) do everything, or ones that do one thing in an overly complicated/cutesy/outlandish fashion to stand out in the crowded field. If anything, you may take my soft spot for Craigslist as an oblique self-burn on my age and get-off-my-lawn attitude about modern apps, but given the amount of troubleshooting I do on its contemporaries, barebones and utilitarian gets it done without a whole lot of fanfare and confusion. Sadly, like all things internet, this has a double-edge: hackers have taken advantage of one of Craigslist’s signature features – anonymous emails – to trick users into installing malware.
What this means for you
If you use Craigslist to offer something up – goods, services, your heart, etc. – you will want to pay attention. Craigslist uses a form of anonymized emails that allow users to keep their identity confidential until they decide they want to interact with someone answering their ad. Unfortunately, this also means an email arriving from an anonymized Craigslist email address claiming to be an official warning about an “inappropriate” ad is probably going to be taken seriously, and links contained in said email will likely be clicked, leading to a malware infection instead of an actual, legitimate Craigslist URL.
Attackers are using camouflage provided by a trusted, familiar environment that they 100% know their target is engaged with, combined with a malware delivery through OneDrive to give them additional cover against the usual malware detection provided by mail services that can smell bad URLs. Even with good malware protection installed on your computer, clicking and opening a document and then following the familiar process to allow editing of the document – something that occurs everytime when opening Office documents delivered via email or the internet (aka OneDrive, Dropbox, Google Drive, etc.), will bypass the usual protections and deliver a malware payload essentially because you allowed it.
This is what you are up against. This is what we all are up against. There is no good protection against this type of chicanery other than being savvy and vigilant, having up to date malware protection installed, backing up your data, and using unique passwords and two-factor authentication wherever possible. There is rarely an instance where the holy trinity of malware protection, backups and strong authentication practices is not warranted. Don’t make excuses – these three things will be your safety net when your vigilance wavers. We are all human and we can and will be tricked. That is one thing I can guarantee.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net