How scammers are exploiting Craigslist to fund BEC attacks

Although the security industry is often preoccupied with the threat of cyber criminals attacking with advanced new techniques and tools, thousands of organisations around the world are routinely and successfully hit by nothing more than a deceptive email to the right person. Business Email Compromise (BEC) attacks, which use social engineering tactics to deceive businesses out of cash or sensitive data, have increased rapidly in recent years to take a huge toll on businesses around the world. And while the attacks are as straightforward as successful, development of defenses have lagged. The most recent estimates by the FBI put the financial losses from BEC attacks at more than $5.3bn since October 2013, with a sharp rise in cases over the last year.  

The tactics employed in BEC attacks are well understood in the industry, and encouragingly there is also a greater understanding among businesses themselves as well. The more discussion there is about the impact of these attacks, as well tactics such as identity deception, the greater the chance of businesses investing in solutions that will protect their employees from receiving malicious emails. 

What is less discussed however, is how these criminals operate, and who they actually are. We have found that while some appear to be opportunists who otherwise lead fairly lawful lives, the majority are career criminals who make most of their income from scamming victims. However, while BEC attacks can give the criminals spectacular profits, they are generally too unreliable to provide a steady income. Therefore, fraudsters will usually turn to the numerous small-scale scams made possible by the digital age. 

Untargeted “scattershot” email campaigns such as ransomware attacks have become a much-publicized attack, but there is also a much larger class of rarely-mentioned attacks in which criminals exploit the popular listings site Craigslist to reach a huge pool of unsuspecting victims. 

Why aren’t BEC attacks enough? 

Pulling off a successful BEC attack can give criminals unimaginable profits. Some of the largest reported examples have seen the culprits make off with more than $100m, while even a moderately successful scam can still net tens of thousands. A few medium-sized wins can easily be enough to set a criminal up for years. 

That said, landing a giant BEC attack is also about as reliable as a lottery win. The intended victim may have the experience to spot something is wrong, have proper security countermeasures installed, or his or her organisation may have protective policies in place for how to send money and sensitive information.   

Using Craigslist as a cash cow  

While criminals pour their time into setting up BEC attacks that may never actually pay off, listing sites provide a steady flow of illicit cash for minimal effort. These small-scale scams are the bread and butter of a career con artist – they won’t provide enough income to retire on, but will enable them to live comfortably while they wait for a lucky break with a big BEC win.   

Every site in the world will have its own issues with malicious users, but Craigslist in particular has a number of features that make it ideal as a base for these low-level scams. For one thing, the site is immensely popular, with an estimated 50 billion page views every month and users spread across 70 countries. This provides a fraudster with an effectively limitless pool of victims and an endless series of opportunities to fleece unsuspecting users. Better yet, rather than having to painstakingly research each victim, they can simply post a listing and wait, or hit the search bar and find listings that they can exploit. As a bonus to the attackers, the site is built around the notion of pseudonymous advertisements and interactions, making detection and attribution very difficult.

The site also takes a fairly laissez-faire approach to user identity and activity, with no apparent filtering done by Craigslist admins. Users don’t need an account with Craigslist to post – something which is very attractive for legitimate sellers, but also means that it’s trivial for a malicious user to post multiple scams. All they need is an email address. The few controls over the number of listings are easily evaded, enabling fraudsters to create a constant string of false offers and respond to the ads of legitimate users.  

One of the most common examples of abuse that we find on the site is a simple property rental scam. The criminal will post a rental ad for a beach house in the Florida Keys or a flat in central London, and then sit back and wait for unsuspecting holidaymakers to get in touch. The rental is agreed and the users send over their deposit and arrange to later meet at the property to receive the keys, but will be in for a nasty shock when they arrive. We often see criminals listing properties that currently are up for sale, as this gives them access to a large number of photos to sell the scam in, as well as a valid location. Other times the house simply doesn’t exist at all. Either way, the hopeful renter is in for a bad holiday.    

We also see the scams working in reverse, with the criminals finding listings and posing as buyers. Once the sale is agreed, they will “accidently” pay too much -- using a check that will later bounce. They then provide account details - usually for a mule or Western Union -  for the user to return the overpaid amount. This scam is fairly likely to arouse suspicions, but with an endless number of potential victims, the swindler will succeed often enough for it to pay off. 

Can the revenue stream be cut off?   

The fact that Craigslist and other similar listings sites are so easy to exploit means they are effectively funding a whole criminal class and enabling them to wreak havoc with more complex attacks on organisations. The $5.3bn cost of BEC identified by the FBI would certainly be much lower if the criminals did not have such easy access to other revenue streams.  

To combat this, sites such as Craigslist need to take much stronger action to clamp down on criminal misuse of their services. There need to be tighter controls on proving identity before an account can be created, and greater vigilance against suspicious activity. Obvious signs of malicious intent, such as a user posting an unfeasible number of listings, should be identified and stopped before they can do harm.  Because Craigslist is the message intermediary (due to the pseudonymisation of the identity), they know where the emails come from and where they are going, and can search for keywords indicating something unusual.   

None of these potential countermeasures is a silver bullet, though. Take automated text analysis -- to evade that, many attackers will try to take the conversation off of Craigslist and over to text or email. In other words, this is a complex problem and won’t be easily solved. But as it stands, very little, if anything, is being done to address the problem. If Craigslist were to partner with security organisations or fraud researchers, they would be taking a step in the right direction. 

While tighter control will make Craigslist slightly more difficult to use for legitimate sellers, it would be worth it if it helps to prevent criminals from living comfortably while they wait for their big BEC score - as well as keeping the site’s users safer themselves. In the meantime, we can expect the number of BEC attacks to continue to skyrocket, so organisations must be prepared to protect their employees by preventing malicious emails from getting through.    

Dr Markus Jakobsson, Chief Scientist at Agari 

Image Credit: Welcomia / Shutterstock