Knowing victims of similar scams, there are a few forces at play that make people unable to see the tell-tale signs of phishing that are unique to real estate and rentals:
1. Desperation for "deals." The prices are almost always below market, and people intuitively assume things will not be around for long. The city, friends in the emigre/imigrant areas, the new employer, etc. are all to blame for increasing the desperation and help the scammer without any coordination to pressure the mark to close.
2. Intense peer pressure. Moving is stressful, but people deal with stressful stuff all the time. The difference is she has a partner, a family member or a boss who depends on her to be living in a certain place by a certain time, and rarely contributes to decisionmaking. This is a pretty common sales pressure tactic that car salesmen and conventional real estate agents use; for rentals it's pretty much guaranteed you'll have a second person pressuring the mark to close quickly at any cost.
3. Non-reversible payments being the norm. Real estate is paid with non-reversible payments. Banks could easily reverse these charges. Usually the recipients of the payments are themselves marks--ordinary people who are used as blank-check businesses and cooperate, unwittingly, as the settler of payments for the scammer. The paper trail is there and it's super easy to reverse, but banks have no mechanism to report inter-bank fraud with the proper urgency. There simply is no number to call or teller to communicate to. The banks, in this way, pressure the mark into putting it all past them because it's no skin off their back.
Society does no one favors to see past these scams. Real estate rental puts the mark into an incredibly vulnerable position.
The solutions are simple. If payment is digital, it should be the norm that it is reversible. Flexible start dates for jobs that require moving enshrined in the law (moving benefit does not alleviate the pressure to save). And a place where you can see rental rates and turnover to indicate to people when a deal is too good to be true.
It's refreshing to see a comment that addresses some of the roots of the problem. Rather than only focusing on plugging holes in the dam, spend some effort finding ways to let off the pressure at the source.
This would be an incredibly broad intervention in the hiring process of all employers to deal with a narrow scam that is very rare as a fraction of all job moves.
But to set up a criminal SaaS, that other criminals pay to use, and to somehow think you cannot be found or caught?
It just seems that this sub world has been allowed to develop and evolve for soooo long they have stumbled upon whole eco systems.
It's going to be hard to uproot.
And here's more about one of the larger parts of the ecosystem: carding websites. https://krebsonsecurity.com/2016/03/carders-park-piles-of-ca...
It's ransomware with a commission scheme.
> It’s curious to note that the program offers a 60-40 split in profits, with 60 percent offered to the customer. However, the gang is willing to negotiate up to a 70-30 split for customers that are considered more “sophisticated”, researchers say.
I got that one from a listing on OpenRent (UK private letting site), when I contacted them they tried to get me to book on “Airbnb” in order to view it and sent a bit.ly link that redirected to that phishing site. Add /rooms/586795 for the listing, it’s still up.
Interestingly, the site appears to only change the location of the listing and leaves all the other details (host, reviews etc.) exactly the same. Modifying the ID randomly redirects to the real Airbnb homepage.
> Then we noticed that the URL of the listing was a little bit off. It showed “www.airbnb.com-request-booking.space/booking/…”. We were a bit confused by this, but as the URL started with “www.airbnb.com” I figured there was no way it could be a SPAM site.
This high level description fails to identify the server name part of the url and they don’t get to it later on in the article. It should be internet 101, but apparently it isn’t. If they understood the server name part of the url they’d know exactly why that url isn’t on airbnb.com and AirBnb has no control over it.
On the positive side, if they miss this, they are likely not getting scammed because they’re desperate. I’m sure that’s why some get scammed but certainly not all of them. I don’t think wishing for something that’s too good to be true is the biggest reason people get scammed.
Ugh. The worst. I have to explain weekly that microsoftonline.com is fine, az.co is really amazon, why things like amazon.training are legit, what x.co or other link shorteners are, and that only the last . matters and the letters immediately before and after that.
It’s a bad system, made worse by people that should know better.
Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to twofactorauth.org, Airbnb currently does not support any type of multi-factor authentication that users can enable.
The idea is really to get you making a payment on their fake website. They don't need you to log-in at all, I imagine they use it to look for password re-use more than to log in to the victim Airbnb itself. Skipping login is less suspicious and when you've contacted them on Airbnb they have your name, they can put that into a query param (mine already did this presumably for tracking) and show you logged in addressing you by name.
Have you seen something like that done to a JS heavy website?
My implementation forwards over all of the HTML when a change happens, but it's possible to access only the stuff that changes, and monitor such changes using CDP DOM events.
I haven't seen it done in phishing sites but I don't visit them too often, although it's certainly possible! The visible stuff would be mostly the latency between interaction and stuff happening on the page, especially with hovering.
Maybe those other bank-driven payments at least have Paypal-like protections, or maybe they don’t.
gumtree is probably the one who is going to have to reimburse all those people.
Example if I post a car for sale its up to you to ensure the car exists, have it checked out by a mechanic etc.
The due diligence required to actually verify the buyer/seller would be expensive and would require them to take a cut of the proceedes to fund it.
You can't have the price of Craigslist and the customer experience of Ebay. Plenty of people would rather do the due diligence themselves and not pay an intermediary.