Sign up to our newsletter
Frankly, I am really amazed that Craig’s list has not been much more attacked. They must be doing something right. Still, the opportunities for social engineering attacks seem quite bountiful to me.
So far the majority of scams I have heard about involve old fashioned attacks, like having someone send an item they sold after they received a check that is going to bounce in a few days, but it is too late, the goods are gone.
From time to time an occurrence will make the news. There was an incident where a young woman was killed after she met someone on Craig’s List. This type of thing happens no matter where people meet and there is no evidence I am aware of that indicates that there is a higher risk with Craig’s List than meeting a person in a bar, or other establishment.
That said, Craig’s List is not without its digital attacks and scams.
One common scam really only involves using the name Craig’s List, or CL as it is commonly abbreviated. An email comes in saying that the sender saw your post on CL. The reasons for the email vary. Some of these claim to have a job for you. In some cases it may be phishing, in other cases it may be to recruit you for work as a money mule…an illegal job that involves transferring stolen money. Sometimes it may just be an attempt to sigh you up for some bogus sales job. Sometimes it may be an attempt to entice you to go to a web page that will serve up malicious software. These emails may have nothing at all to do with CL, but merely reference the name for credibility.
Another scam I was asked about works as follows. A person replies to a post about meeting someone. I didn’t ask if it was posted in “Strictly Platonic”, “Casual Encounters” or Women for Men” ? Regardless, an email comes back say that the woman wants to meet, but there are lots of creeps on CL, so she needs to be sure that you are over 18 and not a sex offender. The recipient of the email is directed to a site that claims to verify age and check registered sex offender lists. The site asks for a credit card and promises not to charge it, the card is only for verification… yeah, right.
I don’t know anyone who entered the credit card information, but I can see a few scenarios. This may well be a phishing attack and the card will be abused. There is also the possibility that the site checks to see if the person is on a sex offender list, but it really can’t be effective. Identity theft means that a person providing the information can provide wrong information. A person who trusts a verification site like this is foolish, but not as foolish as the person who enters their credit card. I suspect the sender is getting paid for the number of people he or she gets to enter the information at the site. I’m also guessing that if it is not a phishing site there is small print that indicates if no action is taken there will be a charge.
Overall, I think the danger of CL is a bit overstated, but there is a lot of potential for abuse. As with all social networking sites, keep alert, don’t click on the links in emails, and don’t blindly trust. A bit of skepticism is a great idea.
Director of Technical Education
Author ESET Research, ESET