
‘Land Lordz’ Service Powers Airbnb Scams - feross
https://krebsonsecurity.com/2019/04/land-lordz-service-powers-airbnb-scams/
======
doctorpangloss
I sympathize with the victims here, and these scams are very horrible.

Knowing victims of similar scams, there are a few forces at play that make
people unable to see the tell-tale signs of phishing that are unique to real
estate and rentals:

1\. Desperation for "deals." The prices are almost always below market, and
people intuitively assume things will not be around for long. The city,
friends in the emigre/imigrant areas, the new employer, etc. are all to blame
for increasing the desperation and help the scammer without any coordination
to pressure the mark to close.

2\. Intense peer pressure. Moving is stressful, but people deal with stressful
stuff all the time. The difference is she has a partner, a family member or a
boss who depends on her to be living in a certain place by a certain time, and
rarely contributes to decisionmaking. This is a pretty common sales pressure
tactic that car salesmen and conventional real estate agents use; for rentals
it's pretty much guaranteed you'll have a second person pressuring the mark to
close quickly at any cost.

3\. Non-reversible payments being the norm. Real estate is paid with non-
reversible payments. Banks could easily reverse these charges. Usually the
recipients of the payments are themselves marks--ordinary people who are used
as blank-check businesses and cooperate, unwittingly, as the settler of
payments for the scammer. The paper trail is there and it's super easy to
reverse, but banks have no mechanism to report inter-bank fraud with the
proper urgency. There simply is no number to call or teller to communicate to.
The banks, in this way, pressure the mark into putting it all past them
because it's no skin off their back.

Society does no one favors to see past these scams. Real estate rental puts
the mark into an incredibly vulnerable position.

The solutions are simple. If payment is digital, it should be the norm that it
is reversible. Flexible start dates for jobs that require moving enshrined in
the law (moving benefit does not alleviate the pressure to save). And a place
where you can see rental rates and turnover to indicate to people when a deal
is too good to be true.

~~~
steelframe
There are some short-sighted counter-tactics showing up in this thread. "Do
2FA!" "Detect activity in JS!" "Scan new listings for copied images!" Sure, do
those things. However, expect that after you fix the vulnerabilities currently
being exploited, the bad guys will find others. They have every incentive to
do so.

It's refreshing to see a comment that addresses some of the roots of the
problem. Rather than only focusing on plugging holes in the dam, spend some
effort finding ways to let off the pressure at the source.

~~~
thefounder
2FA is not a solution. Maybe you mean u2F

~~~
yolo1
Loads of people think 2FA solves more than just mass password spraying. How
the hell did we get here?

------
lifeisstillgood
This is a mindset I cannot understand - it's quite within most developers
reach that they could scrape and reproduce airbnb. It's quite within most
people's ethics to realise you could then take money off people who did not
spot it.

But to set up a criminal SaaS, that _other_ criminals pay to use, and to
somehow think you cannot be found or caught?

It just seems that this sub world has been allowed to develop and evolve for
soooo long they have stumbled upon whole eco systems.

It's going to be hard to uproot.

~~~
walrus01
ransomware-as-a-service toolkits have been for sale for at least 5 years now.

~~~
chessturk
Check out gandcrab: [https://sensorstechforum.com/gandcrab-criminals-
affiliates-r...](https://sensorstechforum.com/gandcrab-criminals-affiliates-
rdp-vnc-skills/amp/)

It's ransomware with a commission scheme.

> It’s curious to note that the program offers a 60-40 split in profits, with
> 60 percent offered to the customer. However, the gang is willing to
> negotiate up to a 70-30 split for customers that are considered more
> “sophisticated”, researchers say.

------
mcintyre1994
Unsure whether this one’s related, but there’s a similar scam run on
[https://airbnb.com.longterm-listing](https://airbnb.com.longterm-
listing)[.com] as well.

I got that one from a listing on OpenRent (UK private letting site), when I
contacted them they tried to get me to book on “Airbnb” in order to view it
and sent a bit.ly link that redirected to that phishing site. Add
/rooms/586795 for the listing, it’s still up.

~~~
Scoundreller
Looks like it's dead.

~~~
mcintyre1994
Still up for me, weird - I wonder if they're region-locking by IP address or
something?

~~~
yorwba
Up for me, visiting from Berlin, can't possibly be in my cache. Perhaps the GP
forgot to add the ".com"?

Interestingly, the site appears to only change the location of the listing and
leaves all the other details (host, reviews etc.) exactly the same. Modifying
the ID randomly redirects to the real Airbnb homepage.

~~~
mcintyre1994
Oh interesting, does the listing show as in Berlin for you? I got it to show a
place in a Swedish ski resort somehow when I was first clicking around and
reporting it, but then that disappeared and I never saw it again.

~~~
yorwba
The default is rooms/804806 with location given as Campo Pequeno in Lisboa for
me, but the one you gave was claimed to be in London. Incidentally, that one
also redirects me to Airbnb now; maybe it was automatically removed due to
increased traffic.

------
benatkin
This article links to a story about someone almost falling for the scam
involving a fake AirBnb site:

> Then we noticed that the URL of the listing was a little bit off. It showed
> “www.airbnb.com-request-booking.space/booking/…”. We were a bit confused by
> this, but as the URL started with “www.airbnb.com” I figured there was no
> way it could be a SPAM site.

[https://www.goatsontheroad.com/airbnb-
scam/](https://www.goatsontheroad.com/airbnb-scam/)

This high level description fails to identify the server name part of the url
and they don’t get to it later on in the article. It should be internet 101,
but apparently it isn’t. If they understood the server name part of the url
they’d know exactly why that url isn’t on airbnb.com and AirBnb has no control
over it.

On the positive side, if they miss this, they are likely not getting scammed
because they’re desperate. I’m sure that’s why some get scammed but certainly
not all of them. I don’t think wishing for something that’s too good to be
true is the biggest reason people get scammed.

~~~
baroffoos
Problem is hardly anyone knows how a url and domain name work which makes
sense because they follow some rules that are simple but not obvious without
education. This is made worse by the fact that many companies use 100
different domain names so the legit websites are impossible to tell from scams

~~~
SlowRobotAhead
>This is made worse by the fact that many companies use 100 different domain
names so the legit websites are impossible to tell from scams

Ugh. The worst. I have to explain weekly that microsoftonline.com is fine,
az.co is really amazon, why things like amazon.training are legit, what x.co
or other link shorteners are, and that only the last . matters and the letters
immediately before and after that.

It’s a bad system, made worse by people that should know better.

~~~
whoopdedo
The people that should know better are, I'm afraid, us. I recall many
complaints a few months ago when the idea was floated for Chrome to not show
the URL in the location bar but instead display the organization name from the
SSL certificate.

~~~
benatkin
That would give the EV Certificate vendors, who have shown many times they
can't be trusted, too much power, and turn the web into a walled garden, or it
would be useless. Take your pick.

------
navatm
I've written a detailed blog post about my experience:
[https://medium.com/@navatm/fake-airbnb-apartment-
fraud-2c187...](https://medium.com/@navatm/fake-airbnb-apartment-
fraud-2c1878e21212)

I'm still in touch with the fraudster. Trolling him.

------
jmcgready
Interesting that, according to the article, Airbnb doesn't do 2FA:

Airbnb could help by adding some type of robust multi-factor authentication,
such as Security Keys — which would defeat these Airbnb phishing pages.
According to twofactorauth.org, Airbnb currently does not support any type of
multi-factor authentication that users can enable.

~~~
dewey
If people don't realize they are on a different domain, have to sign up for a
new account, wire some random person money instead of going through the normal
AirBnb process with their credit card on file I doubt they'd use 2FA if it's
not forced for everyone.

~~~
mcintyre1994
They don't make you sign up for a new account. If they ask you to log in it's
to harvest email/password, but they're faking it's your Airbnb login - they'll
just accept whatever you give, say you're logged in and let you give payment,
if they even bother to ask you to log in.

------
p1necone
The article suggests MFA as a solution, surely you just mitm the MFA entry
while you're mitm'ing any other contents of a users airbnb session? (if you
even need to access actual airbnb contents for your spoof site to seem legit
enough)

~~~
mjg59
U2F prevents MITM by tying keys to the origin sites, but yes, other MFA
approaches can be attacked this way.

------
megous
Devilish reverse proxy? It's easily detectable in JS, no? I doubt the
attackers would be able to remove simple domain check from some obfuscated JS
code inside AirBnB fast enough, not to be detected and IP banned.

~~~
ttsda
They could access airbnb through something like the chrome dev tools protocol
and feed the clean html to the client, with no JS (other than some click
detection). Would probably have latency issues but would get around most
checks.

~~~
megous
Now that would be quite interesting. But it may be waaay harder to do, without
introducing all kinds of user visible quirks.

Have you seen something like that done to a JS heavy website?

~~~
ttsda
I implemented a (very initial) proof of concept of it using visual studio's
dev tools[1], although there are better implementations of it out there as far
as I can tell.

My implementation forwards over all of the HTML when a change happens, but
it's possible to access only the stuff that changes, and monitor such changes
using CDP DOM events.

I haven't seen it done in phishing sites but I don't visit them too often,
although it's certainly possible! The visible stuff would be mostly the
latency between interaction and stuff happening on the page, especially with
hovering.

[1]
[https://gist.github.com/tiagoad/2a2305a9156dea0e425fd57332a9...](https://gist.github.com/tiagoad/2a2305a9156dea0e425fd57332a951e8)

~~~
megous
Thank you.

------
negamax
The money gets wired to a bank account in UK? This should be easy to track and
persecute. Law agencies as well need to be slightly proactive here and not
wait for complaints to come to them.

------
jklepatch
Cant victims just call their credit card company and ask for a chargeback? It
already works if you are not happy of an online purchase, so i don’t see why
it wouldnt work in case of fraud

~~~
Scoundreller
Since Airbnb serves a lot of markets, I’m assuming that they support non-CC
payments of various types from non-Americans and non-Canadians.

Maybe those other bank-driven payments at least have Paypal-like protections,
or maybe they don’t.

------
abraae
Airbnb could scan new listings for the use of images taken from other people's
listings. Not foolproof but one example of the sort of countermeasures in
depth that are appropriate to try and combat these villains.

~~~
Scoundreller
The sites are probably not indexed, so Airbnb would have to run its own
crawler/spider to find them. But since Airbnb got its start crawling
classified ads... they have the tech.

~~~
mcintyre1994
I think the idea is that the scams in the OP originate on Airbnb and then take
you off-site after you've made contact, and they probably steal someone else's
pictures for that first fake listing on Airbnb itself.

------
grungleshnorts
Seems like Airbnb could monitor certificate transparency logs for these
sketchy domains to inspect and initiate legal action against (at least for
domains using not using an airbnb subdomain).

~~~
mcintyre1994
I reported one to them through their support chat, full url + screenshots,
they said it was forwarded to “the concerned department” and then a few days
later closed the ticket. It’s still up and I haven’t heard anything from them
since. Maybe this article will make it a higher priority for them though if
there is anything they can do.

------
localhostdotdev
reminds me of the beginning of e-commerce with all kinds of shady websites
before amazon, paypal and now stripe came.

gumtree is probably the one who is going to have to reimburse all those
people.

~~~
michaelmrose
Classified ad providers accept no liability for what people post on their
site.

Example if I post a car for sale its up to you to ensure the car exists, have
it checked out by a mechanic etc.

The due diligence required to actually verify the buyer/seller would be
expensive and would require them to take a cut of the proceedes to fund it.

You can't have the price of Craigslist and the customer experience of Ebay.
Plenty of people would rather do the due diligence themselves and not pay an
intermediary.

------
leowoo91
Could this be AirBnB owned already as a security study?

~~~
dan-robertson
How does it make sense for Airbnb to own a service to scam their customers? It
seems clear that the service is paying out to the scammers so people are
clearly getting scammed, unless Airbnb are just taking the hit themselves.

