Credit to Author: BrianKrebs| Date: Sun, 14 Apr 2019 18:40:33 +0000
Scammers who make a living swindling Airbnb.com customers have a powerful new tool at their disposal: A software-as-a-service offering called “Land Lordz,” which helps automate the creation and management of fake Airbnb Web sites and the sending of messages to advertise the fraudulent listings.
The ne’er-do-well who set up the account below has been paying $550 a month for a Land Lordz “basic plan” subscription at landlordz[.]site that helps him manage more than 500 scam properties and interactions with up to 100 (soon-to-be-scammed) “guests” looking to book the fake listings. Currently, this scammer has just four dozen listings, virtually all of which are for properties in London and the surrounding United Kingdom.
Your typical victim will respond to an advertisement for a listing provided at Airbnb.com, and be assured they can pay through Airbnb, which offers buyer protection and refunds for unhappy customers. But when the interested party inquires about the listing, they are sent a link to a site that looks like Airbnb.com but which is actually a phishing page.
In the case of these particular fraudsters, their fake page was “airbnb.longterm-airbnb[.]co[.]uk” (I’ve added brackets to prevent the link from being clickable). The site looks exactly like the real Airbnb, includes pictures of the requested property, and steers visitors toward signing in or to creating a new account. The fake site simply forwards all requests on this page to Airbnb.com, and records any usernames and passwords submitted through the site.
Here’s a look at some of the properties listed for rent by these scammers. All of the names and images on these listings have been lifted from other legitimate listings.
The Land Lordz service includes several sets of default positive comments from fake past reviewers that can be used to populate the phony listings. The non-existent home and apartment rentals offered by these scammers are all sold on monthly rates, and the seller’s page says buyers must pay a deposit of the first month before the date is locked in.
The Land Lordz panel lets the scammer keep track of all messages with would-be victims, who are strung along and told the reservation on the residence will be lifted unless a cash deposit is made within 72 hours. Here’s one from would-be victim Shanon, on March 28, 2019, to the scammers.
Shanon: My partner wants to see the place before we send money over as we done this last time and someone scammed us I ain’t saying your not legit as you have send documents with details on name etc
Scammer: “Hello, The property is still available for your dates. The price is € 250 + €500 secure deposit. As security deposit needs to be added ,discount needs to be applied please follow the airbnb link” (which goes to the fake Airbnb page).
Alex Holden, chief information security officer of Hold Security LLC and the researcher who shared screen shots of this fraud panel, said the scammers appear to be advertising their fake listings primarily via Gumtree, a free classifieds service in the U.K.
People who lose money in these scams fail big time on two things. First, they fail to notice they are not on airbnb.com. More importantly, they end up wiring money to secure the promise of a fake apartment or home in another country, and the thieves cut off all communications at that point.
Like they did to this poor sucker, who paid $1,200 in exchange for a piece of paper which promised they’d hand over keys to the apartment at a specific date:
This 2018 story from travel blog goatsontheroad.com tells the tale of a couple that was very nearly scammed by a Land Lordz-like trap, before the wife figures out they’re no longer on airbnb.com.
It’s important to note that these scams can just as likely target users of Airbnb as they can other services, such as craigslist.com and booking.com. Be wary of clicking on links in emails from property hosts, and make sure you are always on Airbnb or whatever site you think you’re on.
Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to twofactorauth.org, Airbnb currently does not support any type of multi-factor authentication that users can enable.
Airbnb.com says if the company detects something phishy about a login for your account it may ask you to enter a security code sent to your phone or email address, or verify some of your account details.
In case anyone would like to follow up on this research, other domains used by these scammers include airbnb.longterm-airbnb[.]co.uk, airbnb.pt-anuncio[.]com, airbnb.request-online[.]com, and airbnb-invoice[.]com. Some of the bank accounts and payment recipients from scams tied to these listings are pictured here.