Threat Actors Phishing Airbnb Users For Fraud


During my daily monitoring, I uncovered a number of Airbnb phishing pages harvesting user account credentials. This got me thinking about the types of fraud targeting Airbnb users and the hosts. Airbnb is not a typical target for phishing, compared to the vast number of phishing pages targeting banks, HMRC, DVLA, and mobile carriers. However, it can be a profitable venture for cybercriminals if they can phish the right account. 


I also identified one phishing page that was aiming to bypass SMS two-factor authentication (2FA). The first page takes the email and password (see here) and the second acquires the SMS code (see here). For this attack, the operators only have a limited amount of time to swipe the credentials and input the 2FA code before it expires (typically around 10 minutes). If successful, the attackers are fully authenticated and can change the password.


Indicators of Compromise (IOCs):


 TypeIndicator 
 Domain      abn.co-host-listing-49461[.]casa
 Domain abn.co-host-listing-24965[.]casa
 Domain abn.co-host-listing-68430[.]casa
 Domain abn.co-host-listing-58520[.]casa
 Domain abn.co-host-listing-34315[.]casa
 Domain abn.co-host-listing-68461[.]casa
 Domain abn.co-host-listing-92412[.]casa
 Domain abn.co-host-listing-78459[.]site
 Domain abnb-me.rooms887122298[.]com
 Domain abn-co-host-listing-31945[.]world
 Domain abn-co-host-property-listing-37955[.]rentals
 Domain airbnb-rooms-3672[.]com
 Domain airbnb.owner-us[.]com
 Domain abnb-me18291[.]me
 Domain ru-airbnb[.]com


Forum user activity related to Airbnb:





It also appears that Airbnb experienced a data breach of some sort which led to forum users sharing host listings online. This could be used to clone property listings for fraud:



With a few compromised accounts - especially if they are host accounts - the attackers can carry out a large amount of fraud or even money laundering with certain techniques. With a compromised host account, the attackers can post fake listings on Airbnb and trick guests into paying for a non-existent place to stay.


What two threat actors can also potentially do is use the Airbnb platform to pay for their own fake listings to funnel money through from one account to another, potentially with stolen cards. With a few compromised Airbnb accounts, the attackers can create somewhat of a bot farm that can leave fake reviews and boost fake listings to make it seem legitimate and prevent it from immediately getting blacklisted.


UK watchdog, Which?, also investigated the types of Airbnb fraud. The key findings include:

  • According to police statistics, holidaymakers were conned out of £6.7m in 2017.

  • Fraudsters add an email to the property photo or description and suggest you contact them directly, often to get a better deal.

  • Scammers often ask users to pay outside of the AirBnB app using direct bank transfer.

  • Many scammers use the same picture for several listings. If you find the same picture being used for several properties, it’s probably a scam.

  • Scammers often post large numbers of listings with zero reviews or fake reviews.

  • Other AirBnB related fraud is available in this Vice article here.


======================================================================

If you're interested, my previous blog on CobaltStrike can be found here and the one before that on the DarkHotel APT can be found here.

Popular posts from this blog

Deep-dive: The DarkHotel APT

Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns

My first year in Cyber Threat Intelligence