Scammers who make a living swindling Airbnb.com customers have a powerful new tool at their disposal: A software-as-a-service offering called “Land Lordz,” which helps automate the creation and management of fake Airbnb Web sites and the sending of messages to advertise the fraudulent listings.
The ne’er-do-well who set up the account below has been paying $550 a month for a Land Lordz “basic plan” subscription at landlordz[.]site that helps him manage more than 500 scam properties and interactions with up to 100 (soon-to-be-scammed) “guests” looking to book the fake listings. Currently, this scammer has just four dozen listings, virtually all of which are for properties in London and the surrounding United Kingdom.
Your typical victim will respond to an advertisement for a listing provided at Airbnb.com, and be assured they can pay through Airbnb, which offers buyer protection and refunds for unhappy customers. But when the interested party inquires about the listing, they are sent a link to a site that looks like Airbnb.com but which is actually a phishing page.
In the case of these particular fraudsters, their fake page was “airbnb.longterm-airbnb[.]co[.]uk” (I’ve added brackets to prevent the link from being clickable). The site looks exactly like the real Airbnb, includes pictures of the requested property, and steers visitors toward signing in or to creating a new account. The fake site simply forwards all requests on this page to Airbnb.com, and records any usernames and passwords submitted through the site.
Here’s a look at some of the properties listed for rent by these scammers. All of the names and images on these listings have been lifted from other legitimate listings.
The Land Lordz service includes several sets of default positive comments from fake past reviewers that can be used to populate the phony listings. The non-existent home and apartment rentals offered by these scammers are all sold on monthly rates, and the seller’s page says buyers must pay a deposit of the first month before the date is locked in.
The Land Lordz panel lets the scammer keep track of all messages with would-be victims, who are strung along and told the reservation on the residence will be lifted unless a cash deposit is made within 72 hours. Here’s one from would-be victim Shanon, on March 28, 2019, to the scammers.
Shanon: My partner wants to see the place before we send money over as we done this last time and someone scammed us I ain’t saying your not legit as you have send documents with details on name etc
Scammer: “Hello, The property is still available for your dates. The price is € 250 + €500 secure deposit. As security deposit needs to be added ,discount needs to be applied please follow the airbnb link” (which goes to the fake Airbnb page).
Alex Holden, chief information security officer of Hold Security LLC and the researcher who shared screen shots of this fraud panel, said the scammers appear to be advertising their fake listings primarily via Gumtree, a free classifieds service in the U.K.
People who lose money in these scams fail big time on two things. First, they fail to notice they are not on airbnb.com. More importantly, they end up wiring money to secure the promise of a fake apartment or home in another country, and the thieves cut off all communications at that point.
Like they did to this poor sucker, who paid $1,200 in exchange for a piece of paper which promised they’d hand over keys to the apartment at a specific date:
This 2018 story from travel blog goatsontheroad.com tells the tale of a couple that was very nearly scammed by a Land Lordz-like trap, before the wife figures out they’re no longer on airbnb.com.
It’s important to note that these scams can just as likely target users of Airbnb as they can other services, such as craigslist.com and booking.com. Be wary of clicking on links in emails from property hosts, and make sure you are always on Airbnb or whatever site you think you’re on.
Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to 2fa.directory, Airbnb currently does not support any type of multi-factor authentication that users can enable.
Airbnb.com says if the company detects something phishy about a login for your account it may ask you to enter a security code sent to your phone or email address, or verify some of your account details.
In case anyone would like to follow up on this research, other domains used by these scammers include airbnb.longterm-airbnb[.]co.uk, airbnb.pt-anuncio[.]com, airbnb.request-online[.]com, and airbnb-invoice[.]com. Some of the bank accounts and payment recipients from scams tied to these listings are pictured here.
Hey Brian, some details of a similar scam you might find interesting:
I found a property on OpenRent, it’s long removed now but the ‘owner’ asked to chat on WhatsApp to organise the viewing. It soon became obvious they were a scammer, and eventually they sent a bit.ly link which led to a URL https://airbnb.com.longterm-listing[.com]/rooms/586795
Their claim was that I’d pay on Airbnb, make the viewing, and then be able to cancel (of course untrue) if I didn’t want to go ahead with it. Not sure if it’s using the same software, but it was the same sort of phishing site for sure.
Wow, another case of why we can’t have nice things. You just have to be vigilant as a hawk anywhere you go. Even when the person said,
“Shanon: My partner wants to see the place before we send money over as we done this last time and someone scammed us I ain’t saying your not legit as you have send documents with details on name etc”
Almost like Hey you, you love scamming people but really find the process complicated and time-consuming. Wouldn’t you like it to be much easier? Well, now you can with the Land Lordz program and let the program do the scamming for you.
A company as big as Airbnb and they don’t support 2 factor is pretty shameful.
Very unfortunate that such a service exists – but I’m confused by the assertion that multi-factor would help the situation at all. If the scammer is entirely MITM requests through the phishing site, and they’re asking the user to log in, they’re going to obtain a valid token regardless of how many auth factors are present.
For instance, user is on the phishing site, phishing site asks user to log in, logs and forwards the username/password to airbnb.com, airbnb.com replies that the user that a 2fac code has been sent, which the user gives to the phishing site, which forwards that to airbnb.com.
You may wish to read my story from the other day about security keys. If a company is enrolling security keys for users, it means that if the mark is visiting a site that’s man-in-the-middling or phishing, the real site won’t allow the request for the security key if it detects the user is not on airbnb.com, which means the login can’t continue.
“But the short version is that even if a user who has enrolled a Security Key for authentication tries to log in at a site pretending to be Google, the company’s systems simply refuse to request the Security Key if the user isn’t on an official Google site, and the login attempt fails.
“It puts you in this mode….[in] which is there is no other way to log in apart from the Security Key,” Brand said. “No one can trick you into a downgrade attack, no one can trick you into anything different. You need to provide a security key or you don’t get into your account.”
Yes, using a USB security key that interacts with the browser is safe since the key can sign/verify the URL and whatever else in the browser.
But unfortunately, use of USB security keys isn’t the common way of implementing 2FA on websites. And it’s unlikely to be implemented on a website like airbnb which relies on quick enrollment of users.
Airbnb, if they were to implement 2FA, is far more likely to adopt weak SMS codes or even stronger OTP through an Authenticator app like Google Auth, Authy, etc.
And this method of 2FA is not going to prevent MITM phishing websites. The server is only verifying the client, but the client cannot verify the server. So OTP codes will just be passed through just like the password.
I agree, I am not sure how feasible is to use security keys-based 2FA for every service has money transactions involved. I am afraid the average users have already too many of them to store on a single yubikey.
The short term action would be for the service provider to identify malicious communications by parsing the messages, and provide very visible links for payments right outside of the message inbox.
Well, the beauty of security keys.. is that you should be unlimited in the number of services you can use it with. Yes, there may be only a couple of slots that can hold specific types of authentication methods or keys… but really, a single public/private key pair can be used on multiple services without limit.
I think all services dealing with money, or communications that provide access to those services (email account that is used for password resets), should be protected with 2FA such as USB security keys. We have NFC and USB type 3 on phones, so there is no excuse.
For this MITM phishing attack… it is easier to detect fraud on existing accounts, as they could just alert on the new IP address and notify that there is a login from a new client.
But in this case, the fraud is happening when the user is first signing up. The victims thinks they are creating an Airbnb account, and they are, but going through the attacker. Hard to really protect against.
I completely agree about Airbnb not having 2FA. I’m wondering if that will change in the near future given the large amount of scams surrounding them as of late.
With summer coming on Brian, you hit the spot with this post. We stayed in Budapest and it was great through VRBO. Although the place was a firetrap it was quaint and fun in a gorgeous old building. We made sure to actually phone and talk at least three times to the landlady and her husband weeks before leaving the US. Dunno know if VRBO has been targeted with anything similar to the airbnb counterfeit service/scam. Thanks.
Had a guy stop me in the parking lot yesterday offering to fix a dent for cheap, I assumed he was just some chap just trying to get work for his body shop.
Suspicious meter started going off upon finding he didn’t have a business card or phone number.
A quick google search revealed it was a scam.. so yeah.. having nice things not only died, it is renting a room somewhere with Elvis and Kurt Cobain.
This is a common gypsy scam. They put clay over a dent and paint it to match. Looks great for couple of days and then falls off.
They seem to like white cars. There must not be too many shades of white. I know “Toyota White” is common.
A mandatory 2factor Auth would make it less likely that someone steals a login from a legit home-owner. And it would mean that the fake site differs from the Real Thing by not asking for the 2nd factor. But that wouldn’t make fraud impossible…
The biggest scam is the “real” Airbnb. With a tax dodge out of Ireland the Jersey Isles along with their scooping up of tens of thousands of apartments that are not legal to rent as hotel rooms the company is the definition of a scofflaw.
The whole business is a scam centered on connecting tax dodgers with each other, for unofficial rentals.
It’s not surprising when pieces of it are scams, too.
Every tenant and fake hotelier ought to have a lien placed on them for tax fraud. And Airbnb’s records should be seized to do it.
I think there are scams, maybe such as this, that would even fool the security-aware individuals. All it takes is one moment for our guard to be down to get scammed. Especially in a case like this–most people are in that vacation mindset and just want to find the right place to stay. Often, they’re not thinking about the implications that security plays into it. Just goes to show, we need to always be mindful of the threats out there and be on the lookout.
Seems this scam has found a home on Craigslist in both the form of short-term rentals and long-term rentals. They have a different “feel” from the usual Craigslist rental scams and seem to focus on college, university and military areas. That many “real” postings are written like scam ads and so cavalierly insist on insecurity does not help. And, unfortunately, they are not being taken down when reported, unlike the classic Craigslist scams.
This scam, and many others, rely on people not understanding the rules for domain names. Here are the rules
That is a very good point, Michael. Thank you for posting that link, it’s very informative! http://www.jobs.citi[.]com is not the same as http://www.citi-jobs.notmalware[.]com.
I seems to me that if one looks for an Airbnb rental by browsing, inquiring, and paying through Airbnb.com, there is no potential for this scam.
The problem is using a free classifieds service and email to conduct a rental of a Airbnb unit. That’s not the way Airbnb works.
Which is why so many dating, selling and renting sites tell you not to conduct business outside of their site. Not to click on external links. Not to continue if the offerer insists on moving the dealing to email or kik.
Indeed, and also why phishing scams target website traffic with ‘high buy intent’, ie a very-immediate need (dating and housing being the perfect examples).
Airheadsbnb are Jew haters.
Please, do not conduct business with
this anti-Isreal firm.
You may have missed it, but this week they apologized to Israel for their disgusting policies.
Long time reader got post scrubbed.
Do you know if AirBnB subscribes to any “brand management” service? There are companies out there that can detect similar domains getting registered (for fraud and phishing purposes), and even help to get those domains taken down.
For a huge company like AirBnB, it seems like a necessity to have some additional protection from these scam artists.
Nice post. One minor typo: It’s craigslist.org, not .com
Long time reader got post scrubbed.