Airbnb's Customers Have Been Fooled: Have Yours?

The 3 Successful Brand Phishing Attack Trends This Summer

A study by Segasec into phishing scams against popular short-term rental websites has shown Airbnb to have had 15x as many potential attacks as other well-known booking websites such as eDreams or Skyscanner. While the bigger the brand, the larger the threat – all businesses, including SMBs, need to be aware of the very real risk of their customers getting fooled by a website that is mimicking their own.

Through this research, evidence shows that there are three main methods of attack that allow hackers to launch successful phishing scams against consumers. These attacks are smart, insidious, and often impossible for the average user to spot.

1. Man in the Middle Attacks

Proven to be highly successful, these are the most sophisticated kinds of phishing scams, where the hacker intercepts and alters the communication between your consumer and your legitimate business.

The user logs into their account via a proxy server, assuming that this is a safe connection, usually because of a trusted method of communication such as their email address, or recognizable branding that mimics your own. In the following example from false domain http://www[.]airbnbpromo[.]coupons/, the attack looks like a legitimate Airbnb landing page, and the temptation of free credit is enough of an incentive to encourage an unsuspecting user to provide sensitive data through the proxy.


How Can I Protect My Customers? 

Whereas traditional MITM attacks can be thwarted by ensuring that your servers are configured using best security practices for algorithms and protocols, or implementing HSTS (HTTP Strict Transport Security), the new kinds of sophisticated MITM phishing scams are not so easy to stop in their tracks. To stop them, companies will need to onboard security solutions that work to find phishing scams and malicious domain attacks behind the scenes.

2. Content Scraping

In order for hackers to create believable fakes, they need more than just a similar-looking or sounding domain name. They also need to be able to access your branding, from colors, fonts and logos, to the images you use on your website. Copying your site content and uploading it onto another website can be impossible to spot, especially if your brand protection is limited to alerts on domain threats alone. The example below, from http://www[.]airbnb[.]com[.]guestscommunity[.]top/ shows attackers scraping the Airbnb login page to mimic the branding and style of the original.

Untitled design (2)-4

How Can I Protect My Brand? 

As some scraping bots are legitimate, for example, search engine bots or market research companies looking for data, even recognizing the malicious intent can be hard. There are a couple of ways to identify illegitimate bots working for hackers: 

  1. If a bot is legitimate, it isn't trying to hide. If a bot has a reason to be communicating with your website, you should be able to identify this by its User-Agent (an HTTP header). If you spot a false HTTP agent, you're looking at a scam. However, it’s easy for hackers to be one step ahead, spoofing their user agent to look like a legitimate bot. 
  2. Each website has a robot.txt file, which outlines the pages that a bot can access with your permission. Of course, a hacker isn't waiting to be invited in. If you see that a bot isn't keeping to the site operator's rules - you're likely to have recognized a potential threat.
  3. No real user will look at all the pages of your website, especially in a short window of time. Behavioral analysis tools can help here, uncovering a type of crawler rather than a legitimate user.

3. Leveraging External Data

Research is showing a sharp rise in attacks that take advantage of simple information like user activity, date or time of year to fool users into falling for phishing scams. Examples include the rise in Amazon-based phishing scams around Prime Day, or the huge increase in retail-based attacks during peak shopping seasons such as Black Friday through to Christmas.

The stats also point towards more attacks that come in the form of ‘support’ emails, using domains like airbnbsupport[.]ro, below, to explain away the slightly different visuals of the correspondence, or gain the trust of users.

airbnb 2-1

How Can I Protect My Users?

As attacks can come from anywhere, this is a difficult tactic to keep your consumers safe from. There’s really no added defenses that you can onboard in your own enterprise that will stop attackers launching a scam using your brand name and reputation as leverage. However, you can make changes that educate your existing customers into the warning signs they should look out for. Make sure you let them know that you will never email them to ask for sensitive or financial information, and that if they are unsure about suspicious correspondence, to start a new customer journey with you through your official channels. 

Every Brand’s Biggest Blindspot

The growth in phishing scams and the multiple successful techniques that hackers use should be cause for concern. As businesses continue to strengthen their internal networks and data centers, they may be ignoring the biggest blind spot of all – the infinite web. It’s time to think about what protection is in place for your customers, and how to keep your brand safe against phishing scams, whichever malicious tactic is used.