Hacker News new | past | comments | ask | show | jobs | submit login
‘Land Lordz’ Service Powers Airbnb Scams (krebsonsecurity.com)
155 points by feross 6 days ago | hide | past | web | favorite | 50 comments

I sympathize with the victims here, and these scams are very horrible.

Knowing victims of similar scams, there are a few forces at play that make people unable to see the tell-tale signs of phishing that are unique to real estate and rentals:

1. Desperation for "deals." The prices are almost always below market, and people intuitively assume things will not be around for long. The city, friends in the emigre/imigrant areas, the new employer, etc. are all to blame for increasing the desperation and help the scammer without any coordination to pressure the mark to close.

2. Intense peer pressure. Moving is stressful, but people deal with stressful stuff all the time. The difference is she has a partner, a family member or a boss who depends on her to be living in a certain place by a certain time, and rarely contributes to decisionmaking. This is a pretty common sales pressure tactic that car salesmen and conventional real estate agents use; for rentals it's pretty much guaranteed you'll have a second person pressuring the mark to close quickly at any cost.

3. Non-reversible payments being the norm. Real estate is paid with non-reversible payments. Banks could easily reverse these charges. Usually the recipients of the payments are themselves marks--ordinary people who are used as blank-check businesses and cooperate, unwittingly, as the settler of payments for the scammer. The paper trail is there and it's super easy to reverse, but banks have no mechanism to report inter-bank fraud with the proper urgency. There simply is no number to call or teller to communicate to. The banks, in this way, pressure the mark into putting it all past them because it's no skin off their back.

Society does no one favors to see past these scams. Real estate rental puts the mark into an incredibly vulnerable position.

The solutions are simple. If payment is digital, it should be the norm that it is reversible. Flexible start dates for jobs that require moving enshrined in the law (moving benefit does not alleviate the pressure to save). And a place where you can see rental rates and turnover to indicate to people when a deal is too good to be true.

There are some short-sighted counter-tactics showing up in this thread. "Do 2FA!" "Detect activity in JS!" "Scan new listings for copied images!" Sure, do those things. However, expect that after you fix the vulnerabilities currently being exploited, the bad guys will find others. They have every incentive to do so.

It's refreshing to see a comment that addresses some of the roots of the problem. Rather than only focusing on plugging holes in the dam, spend some effort finding ways to let off the pressure at the source.

Some problems are fixable NOW. Some of them, like the ones above, are fixable after many years of work, and someone pushing it. Are you going to push for those changes? Or just make snarky comments?

2FA is not a solution. Maybe you mean u2F

Loads of people think 2FA solves more than just mass password spraying. How the hell did we get here?

> Flexible start dates for jobs that require moving enshrined in the law

This would be an incredibly broad intervention in the hiring process of all employers to deal with a narrow scam that is very rare as a fraction of all job moves.

This is a mindset I cannot understand - it's quite within most developers reach that they could scrape and reproduce airbnb. It's quite within most people's ethics to realise you could then take money off people who did not spot it.

But to set up a criminal SaaS, that other criminals pay to use, and to somehow think you cannot be found or caught?

It just seems that this sub world has been allowed to develop and evolve for soooo long they have stumbled upon whole eco systems.

It's going to be hard to uproot.

There really are ecosystems. And there's some really low-hanging fruit. Groups specializing in "a broad spectrum of shady activities, including spamming, wire fraud, account takeovers, phony tax refunds, 419 scams, denial-of-service attack-for-hire services and botnet creation tools" were on Facebook for an average of two years and over 300,000 users. https://krebsonsecurity.com/2018/04/deleted-facebook-cybercr...

And here's more about one of the larger parts of the ecosystem: carding websites. https://krebsonsecurity.com/2016/03/carders-park-piles-of-ca...

ransomware-as-a-service toolkits have been for sale for at least 5 years now.

Check out gandcrab: https://sensorstechforum.com/gandcrab-criminals-affiliates-r...

It's ransomware with a commission scheme.

> It’s curious to note that the program offers a 60-40 split in profits, with 60 percent offered to the customer. However, the gang is willing to negotiate up to a 70-30 split for customers that are considered more “sophisticated”, researchers say.

Unsure whether this one’s related, but there’s a similar scam run on https://airbnb.com.longterm-listing[.com] as well.

I got that one from a listing on OpenRent (UK private letting site), when I contacted them they tried to get me to book on “Airbnb” in order to view it and sent a bit.ly link that redirected to that phishing site. Add /rooms/586795 for the listing, it’s still up.

Hey - OpenRent founder here. Would you mind emailing me details of your experience to security@openrent.co.uk?

Happy to - I think I already sent some details there when the listing was removed, I'll see if I have any more I didn't send. Happy to say for the record publicly that OpenRent removed the listing shortly after I contacted the scammer and advised me it was removed for fraud and to be extremely cautious.

Looks like it's dead.

Still up for me, weird - I wonder if they're region-locking by IP address or something?

Up for me, visiting from Berlin, can't possibly be in my cache. Perhaps the GP forgot to add the ".com"?

Interestingly, the site appears to only change the location of the listing and leaves all the other details (host, reviews etc.) exactly the same. Modifying the ID randomly redirects to the real Airbnb homepage.

Oh interesting, does the listing show as in Berlin for you? I got it to show a place in a Swedish ski resort somehow when I was first clicking around and reporting it, but then that disappeared and I never saw it again.

The default is rooms/804806 with location given as Campo Pequeno in Lisboa for me, but the one you gave was claimed to be in London. Incidentally, that one also redirects me to Airbnb now; maybe it was automatically removed due to increased traffic.

Maybe it only supports Euros, so they just block non euro IPs?

The site could possibly could still be stuck in OP's cache

This article links to a story about someone almost falling for the scam involving a fake AirBnb site:

> Then we noticed that the URL of the listing was a little bit off. It showed “www.airbnb.com-request-booking.space/booking/…”. We were a bit confused by this, but as the URL started with “www.airbnb.com” I figured there was no way it could be a SPAM site.


This high level description fails to identify the server name part of the url and they don’t get to it later on in the article. It should be internet 101, but apparently it isn’t. If they understood the server name part of the url they’d know exactly why that url isn’t on airbnb.com and AirBnb has no control over it.

On the positive side, if they miss this, they are likely not getting scammed because they’re desperate. I’m sure that’s why some get scammed but certainly not all of them. I don’t think wishing for something that’s too good to be true is the biggest reason people get scammed.

Problem is hardly anyone knows how a url and domain name work which makes sense because they follow some rules that are simple but not obvious without education. This is made worse by the fact that many companies use 100 different domain names so the legit websites are impossible to tell from scams

>This is made worse by the fact that many companies use 100 different domain names so the legit websites are impossible to tell from scams

Ugh. The worst. I have to explain weekly that microsoftonline.com is fine, az.co is really amazon, why things like amazon.training are legit, what x.co or other link shorteners are, and that only the last . matters and the letters immediately before and after that.

It’s a bad system, made worse by people that should know better.

The people that should know better are, I'm afraid, us. I recall many complaints a few months ago when the idea was floated for Chrome to not show the URL in the location bar but instead display the organization name from the SSL certificate.

That would give the EV Certificate vendors, who have shown many times they can't be trusted, too much power, and turn the web into a walled garden, or it would be useless. Take your pick.

"Look carefully at the URL" has never been a legitimate solution for phishing. And it's completely unfair to use it as a way to blame users.

Interesting that, according to the article, Airbnb doesn't do 2FA:

Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to twofactorauth.org, Airbnb currently does not support any type of multi-factor authentication that users can enable.

If people don't realize they are on a different domain, have to sign up for a new account, wire some random person money instead of going through the normal AirBnb process with their credit card on file I doubt they'd use 2FA if it's not forced for everyone.

They don't make you sign up for a new account. If they ask you to log in it's to harvest email/password, but they're faking it's your Airbnb login - they'll just accept whatever you give, say you're logged in and let you give payment, if they even bother to ask you to log in.

They obviously should but it wouldn't really help here. Realistically if a scammer gets my Airbnb email and password they're probably not going to be able to do anything that won't expose themselves, and I'd expect to eventually get my money back from Airbnb if it was all on their platform.

The idea is really to get you making a payment on their fake website. They don't need you to log-in at all, I imagine they use it to look for password re-use more than to log in to the victim Airbnb itself. Skipping login is less suspicious and when you've contacted them on Airbnb they have your name, they can put that into a query param (mine already did this presumably for tracking) and show you logged in addressing you by name.

How would multifactor solve this? It only solves mass password sprays.

The article suggests MFA as a solution, surely you just mitm the MFA entry while you're mitm'ing any other contents of a users airbnb session? (if you even need to access actual airbnb contents for your spoof site to seem legit enough)

U2F prevents MITM by tying keys to the origin sites, but yes, other MFA approaches can be attacked this way.

Devilish reverse proxy? It's easily detectable in JS, no? I doubt the attackers would be able to remove simple domain check from some obfuscated JS code inside AirBnB fast enough, not to be detected and IP banned.

They could access airbnb through something like the chrome dev tools protocol and feed the clean html to the client, with no JS (other than some click detection). Would probably have latency issues but would get around most checks.

Now that would be quite interesting. But it may be waaay harder to do, without introducing all kinds of user visible quirks.

Have you seen something like that done to a JS heavy website?

I implemented a (very initial) proof of concept of it using visual studio's dev tools[1], although there are better implementations of it out there as far as I can tell.

My implementation forwards over all of the HTML when a change happens, but it's possible to access only the stuff that changes, and monitor such changes using CDP DOM events.

I haven't seen it done in phishing sites but I don't visit them too often, although it's certainly possible! The visible stuff would be mostly the latency between interaction and stuff happening on the page, especially with hovering.

[1] https://gist.github.com/tiagoad/2a2305a9156dea0e425fd57332a9...

Thank you.

The money gets wired to a bank account in UK? This should be easy to track and persecute. Law agencies as well need to be slightly proactive here and not wait for complaints to come to them.

Cant victims just call their credit card company and ask for a chargeback? It already works if you are not happy of an online purchase, so i don’t see why it wouldnt work in case of fraud

Since Airbnb serves a lot of markets, I’m assuming that they support non-CC payments of various types from non-Americans and non-Canadians.

Maybe those other bank-driven payments at least have Paypal-like protections, or maybe they don’t.

Airbnb could scan new listings for the use of images taken from other people's listings. Not foolproof but one example of the sort of countermeasures in depth that are appropriate to try and combat these villains.

The sites are probably not indexed, so Airbnb would have to run its own crawler/spider to find them. But since Airbnb got its start crawling classified ads... they have the tech.

I think the idea is that the scams in the OP originate on Airbnb and then take you off-site after you've made contact, and they probably steal someone else's pictures for that first fake listing on Airbnb itself.

Seems like Airbnb could monitor certificate transparency logs for these sketchy domains to inspect and initiate legal action against (at least for domains using not using an airbnb subdomain).

I reported one to them through their support chat, full url + screenshots, they said it was forwarded to “the concerned department” and then a few days later closed the ticket. It’s still up and I haven’t heard anything from them since. Maybe this article will make it a higher priority for them though if there is anything they can do.

reminds me of the beginning of e-commerce with all kinds of shady websites before amazon, paypal and now stripe came.

gumtree is probably the one who is going to have to reimburse all those people.

Classified ad providers accept no liability for what people post on their site.

Example if I post a car for sale its up to you to ensure the car exists, have it checked out by a mechanic etc.

The due diligence required to actually verify the buyer/seller would be expensive and would require them to take a cut of the proceedes to fund it.

You can't have the price of Craigslist and the customer experience of Ebay. Plenty of people would rather do the due diligence themselves and not pay an intermediary.

Could this be AirBnB owned already as a security study?

How does it make sense for Airbnb to own a service to scam their customers? It seems clear that the service is paying out to the scammers so people are clearly getting scammed, unless Airbnb are just taking the hit themselves.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact