It might still be a little too early in the year to think about vacation, but there’s always a chance you’ll need some lodging and short notice and that’s where services like Airbnb come into play. The hugely popular service lets travellers temporarily lodge with people from all around the World, and in some situations that would be an attractive proposition for people with a bit of mischief in mind.

As it turns out, we saw a fake Airbnb login asking for credentials which appeared to be hosted on a compromised car rental service website. The site is now offline, but let’s see how the phish operated as you don’t tend to come across Airbnb phishes on a regular basis.

The page asked visitors to “Login with your Airbnb account”, offering them username and password fields to fill out. As you can see from the below screenshot, there was no https / green padlock on display in the URL bar, which you should always be looking for when being asked to login. Here’s a shot of the real Airbnb https indicator – spot the difference:

Airbnb phish

Check out that URL, too:

my(dot)airbnb(dot)com(dot)confim(dot)my(dot)account(dot)try1(dot)ca/login(dot)php

The only “genuine” part of the URL is the bit highlighted in bold (because that’s the main URL of the car rental service). The rest of the huge string of words is part of the scam, in terms of trying to make it look like it’s a very long Airbnb URL. This phishing address could cause problems for mobile users, as the bulk of what they’d see would be “airbnb(dot)confirm(dot)my(dot)account”, with the rest of it likely hidden off to the right of their small screen.

Entering user details and hitting the login button would lead to the next page:

Airbnbphish 2

Thank you. You have successfully confirmed your account information. Go to the main page.

From there, they’d be sent to the genuine Airbnb page.

Now, you may wonder why someone would want to steal an Airbnb login. Their security page may hold some clues:

  • Advance fee scam. This is where someone sends the scammer money – typically by wire transfer – in return for a service or product that never actually arrives.
  • Travel scam. This is where the scammer puts pressure on the victim to secure the “amazing” advertised property using payment methods (once again) outside of more usual channels.

Those would seem to be the most likely candidates – steer people away from the safety of the official website, and the sky’s the limit in terms of how you can try and part people from their money (and all too often, there’s no way to get it back).

One might ask why someone would go to the trouble of hijacking an account to advertise a property, when they could just set a fresh one up. The answer, as with so many things, boils down to trust. If the phisher can swipe an account which is both verified and has lots of good reviews, then it would be so much easier to convince a potential victim that a suggested impending wire transfer is above board. This also means that the owner of the phished Airbnb account has a major reputation hit to deal with (and possibly more besides) after any initial money grab, which could cause some long term headaches.

A bit of an odd one, then, but you should never discount the value of a phished login, no matter how much you might think “But what could they do with this?” at first glance. There’s always something to be gained by a spot of credential pilfering, so please be cautious around any Airbnb-themed emails inviting you to login and / or confirm your account details.

Christopher Boyd