Is this Craigslist email Phishing?

The phrasing seems suspect.

*From: “help@craigslist.org” <help@craigslist.org>
Date: Sep 26, 2011 9:37 AM
Subject: Security Issue
To: <SNIP SNIP@gmail.com>

Dear Craigslist user
Due to many attempts of scammers to login,
your account has been temporary blocked.
For quick reactivation please fill the boxes.
We apologize for any inconvenience. Thanks
craigslist: Account Log In
WARNING: scammers may try to steal your account by sending an official-looking email with a link to a fake craigslist login page that looks like this page, hoping you’ll type in your username and password.

When you login look carefully at the web address near the top of your browser to make sure you are on the real craigslist login page, https://accounts.craigslist.org

The safest way to login is go to the craigslist homepage directly by typing in the web address, and then clicking on the ‘my account’ link.

[more information]

Log in to your craigslist account
NOTE: Not all prior posters have craigslist accounts.
If you are not sure, check for the existence of an account by having your password reset.
Email / Handle:
Password: forgot password?
(Cookies must be enabled.)

Sign up for an account | Why do I need an account?*

Yes.

Okay.
What are the scammers hoping I do?

I can’t tell from that email, but if you just go into the craigslist site, wouldn’t you find out right away?

I’m guessing it’s legit.

Are there other links or forms in the email that didn’t get copied-and-pasted correctly? It could be a very clever copy of a legitimate message from craigslist with a bad link somewhere, and the phisher is hoping some percentage of people will click on a bad link. The last few lines of the text look like they should be links.

There were some links at the bottom.
It was on Gmail, so I copied and pasted everything just as it appeared on the screen.
Not sure if there’s some way to copy and paste the source.
I couldn’t find anything dirty about the links.

Anyone know how to show source on Gmail?

What happens when you try logging into the actual accounts.craigslist.org page by actually typing it in?

What “boxes” are you supposed to fill? I don’t understand that part of the email. The English sounds a little bit off in that sentence of the email, so that’s the only thing that stands out as odd to me.

I agree with the OP that the wording of the mail is suspect.

While all the security instructions in the email appear to be good advice I have a feeling that whatever the ‘boxes’ are will probably prove to be the reason it’s important to follow the advice in the email. Just go to craigslist.com yourself, without clicking any links or following anything in the email, go to your account as you normally do, and see if it is, indeed, locked. If it isn’t, its a phishing scam. If it is, contact their support from their website links.

Open the email. Go to the arrow to the right of “reply.” Click on it and select “Show Original.”

Yeah, after re-reading the OP, the wording really is suspect. I’m not exactly sure what the scammers are trying to get at here, though, unless you have a trojan that changes your DNS and sends you somewhere other than the actual craigslist site when you type in the URL for the Craigslist page.

Chances are the boxes mentioned are some built-in form right in the email that aren’t making it through the copy/paste. Also links can appear to go to a different URL than displayed like:http://straightdope.com/

The copy/paste would copy the display text but not the actual URL.

Sure. I was just assuming the OP would actually type in the URL in his browser (as advised in the email), instead of clicking on a suspicious link. Although perhaps that warning is there to ease you into a false sense of security, and the hope is that you just click the link anyway. Although it then tells you to look in your browser bar, which would kind of give it away if it was a false link.

Bingo

Which, like I said, is kind of negated by the fact that it tells you to look in your URL bar and to watch where you’re going. I suppose if someone really is stupid enough to fall for this, they deserve it.

The whole thing could just be a decoy to get the OP to click some file attachment that isn’t even mentioned directly in the email. But since it mentions ‘boxes’ to fill, like I said I think there were probably ‘username’ ‘password’ boxes or something intended to be filled out right in the email.

Seeing all this good security advice (probably copied right from a real craigslist email) makes people assume its all legit, so they completely fail to follow the very advice that is right in front of them. After all, scammers wouldn’t defeat their own purposes by describing exactly how to avoid the very scam they are trying to pull… but that’s what they are doing. If you follow the advice in the text of the mail it is legit, if you click any link, fill any form or open any attachments, its doing exactly the opposite of what the text says to do.

I got a similar email purporting from PayPal once. It included the same warnings, and even included an email address to send inquiries about spam to. And when I went to the actual PayPal site, I learned was the legit anti-spam address. So I forwarded the email to them, and they sent back an email saying it was Spam.

And what tipped me off wasn’t the contradictory instructions, but the fact that the links led to a URL similar to paypal-survey.something.com. And seeing as some websites do use external sites for surveys (Wikimedia and Wikia being big ones), I actually wasn’t sure, hence the email I sent.

It depends - they could have created a URL that looks plausible in its truncated view in the address bar (as BigT observed) - paypal.com.LoadsOfIrrelevantText.MaliciousSite.biz - in this case, MaliciousSite.biz is the domain - everything before it could be subdomains managed by their server.

Probably not a direct example of phishing as even if they got their hands on your CL log in info there is not much they could do with it.

It is more than likely clicking on one of the links in the email will take you to a malicious website meant to infect your computer with a virus or other form of malware (think keyloggers and tracking). So by the time you notice you are not at craigslist it will be to late, you would be infected.

Why anybody would click on a link or even copy a URL address from an email in today’s world is beyond me. I don’t even try to figure out if they’re legit; I just delete them. It’s really no different than giving out personal information over the phone, which people still seem willing to do despite all of the scam warnings over the years.

What I wonder is why people just don’t go over to the actual site where they hold an account and see if something’s amiss or not? I’ve gotten real warning letters before from eBay when one of my accounts was compromised, and manually typing in my URL did reveal that, indeed, my account was compromised.

Sometimes warning letters really are warning letters. As I said above, after further review, the English on this one is off enough that I think it could very well/probably be bogus, but a quick scoot over to https://accounts.craigslist.org will tell you now. (Unless, as I mentioned above, your DNS has been hijacked to a rogue DNS.)