Anatomy of a Rental Phishing Scam

Jeffrey Ladish writes: I was recently the (unsuccessful) target of a very well-crafted phishing scam. As part of a housing search a few weeks ago, I was trawling craigslist and zillow for rental opportunities in the SF bay area. I reached out to a beautiful looking rental place to inquire about a tour. Despite my experience as a security professional, I didn't realize this was a scam until about the third email! Below I will account the story in excessive detail including screenshots. [...] The phishing team -- and given the work involved and the level of polish I bet it was a team -- ran a pretty tight operation. Their English was perfect, their emails looked professional, and their phishing site looked identical the original Airbnb site. The email domain "engineers-hibernia-chevron [dot] ca" redirected to "hibernia [dot] ca" to add legitimacy for those who took the extra step of looking up the domain.

I'm even more impressed by their subtle psychological tricks. Each step of the way, they left out information which required me to ask for something if I wanted to proceed. It's a lot easier to be on your guard when others are asking you for things. When you're the one doing the asking, it's even harder to say something when things look strange, because you may already feel like you're being a burden on their time. For the initial ad, they left out the phone number so I had to ask. After they told me I could look at their airbnb site, I had to ask for a link. Then, after they sent me to search on Airbnb's site, I had to ask for the link again! That was deliberately planned! Throughout these interactions, they mentioned there were other people looking, maintaining a plausible sense of urgency. Finally, using Airbnb as the phishing site was clever, because it gave the impression of a trusted middleman. I was genuinely thrown off at first, because I couldn't figure out how they were planning to steal my financial information. If they had just asked for bank or credit card information early on, their game would have been easy to spot.

Craigslist

[110010001000]

"As part of a housing search a few weeks ago, I was trawling craigslist "
 
Uh, what? Stopped reading there.

Re:

[sinij]

I guess that is SV thing, where they have to go into Thunderdome and fight to death over available rentals.

Re:

[110010001000]

I see. Someone modded me down, so it must be normal to use Craigslist to get a place to live. Carry on! Nothing can possibly go wrong.

Re:

[Anonymous Coward]

If one treats it like what it is (a free classifieds posting site), there shouldn't be too much issue. Someone could conduct similar scams via conventional classifieds as well. While harder and costlier to implement, the scammer can exploit a local paper's classifieds for its perceived trustworthiness. While I don't really disagree with the sentiment of your post, I find that dismissive attitudes are generally presented by one who is trying their hardest to avoid contributing anything meaningful to a conver

Re:

[nomad63]

There is nothing wrong with trying to find a place to live. I did this same thing in San Diego back in 2010 and it was a legitimate property management company. I rented the place with 1 year lease. The lived there for another 5 months on month to month basis as my job situation was fluid at the moment. They asked for another year lease and I was not ready to commit so I had to leave. But it was no scam. Although nowadays, CL became the hotbed of scam artists to my dismay.

Re:Craigslist

[mopower70]

Are you serious? Where do you live? Craigslist is probably the most comprehensive site for rental/sublet/roommate listings in the LA area. I'm guessing, but I'd venture to say 3/4ths of the listings are by property management companies or realtors. Frankly, you'd be a moron for not looking on Craigslist in SoCal.

Re:

[taustin]

I'm guessing, but I'd venture to say 3/4ths of the listings are by property management companies or realtors.

And the other 1/4 are outright criminal fraud, or people so stupid they should be institutionalized for their own safety who think they know how to rent stuff.

Frankly, you'd be a moron for not looking on Craigslist in SoCal.

Indeed. But you're be a bigger moron for not assuming that the to good to be true deals are just that.

Re:

[Aighearach]

Why would property management companies have listing that were too good to be true?

Did you know you can look up who owns a property in most places?

Re:

[barc0001]

People do it all the bloody time man... what's your damage?

Back when I rented instead of owned, I rented 2 places from Craigslist. Other acquaintances used Craigslist just last year to get a nice rental.

Re:

[iroll]

It really depends where you live, I guess. In Phoenix, if you want to live in a big, stuccoed human storage center with convenient freeway access, you probably don't need craigslist. But if you want to live in an owner-managed duplex in a specific neighborhood? You're going to want to check classifieds, including craigslist, zillow, etc.

My last rental, where I lived for five years, was a craigslist find. It was only on the site for a few hours when I found it. When I moved out, it was rented again within a

Re: Craigslist

[gl4ss]

Rental classifieds entire point is to post rentals.

It is entirely normal. Mabe you ask for them on bill gates discord but normal people post and find them on classifieds sites.

Soon you'll be shocked about finding handymen from facebook marketplace.

I mean, do you live on the moon or what? Or are you a dumb f who just pays other people to go through classifieds? I mean you do know thats what middlemen do too right?

Re:

[Aighearach]

They stopping doing adult ads a long time ago, because they didn't find any other way to solve the problem.

They sell job postings and higher volume real estate posting to make money, and most other stuff is free.

Everything that used to be in classified ads either moved to ebay or craigslist.

So that is the formula:

Craigslist = Classified ads - ebay

Hope that clarifies it for you.

Re:

[Anonymous Coward]

Uh yeah? Unless things have changed a lot recently, yes many many people use Craigslist to post rentals. Do you still look at classified ads in the newspaper, Grandpa?

Re:

[registrations_suck]

I got an $80K/year job as a technical writer (In a low cost of living area) on Craigslist. Wouldn’t hesitate use it to find a place to live.

Re:

[alvinrod]

What do you suggest using? I've used craigslist several times throughout my life when searching for housing accommodations and have found that it reliably offers the best overall idea of what's out there and available, including from smaller landlords that can't afford to piss away a lot of money on a fancy website, SEO cruft, or a social media presence on platforms I'll never use.

Re:Craigslist

[Dixie_Flatline]

It depends on where you live. In Montreal, you almost always want to get a lease transfer, because it means the landlord can't raise the rent from what the previous person was paying. That means 99% of the time, you want to talk to someone that's already renting the place, not a landlord, and a rental broker will be hopeless there. That's also why you'd use Craigslist or Kijiji (what eBay classifieds are named here, I guess) instead of some other way.

So I don't know the particulars of that market, but critically, apparently, neither do you. Stop being a dick about it—things work differently in different cities. Lord.

Re:

[110010001000]

Um no it doesn't. This guy is about to fake rent a $4300 a month place with $4300 down. I'm not talking to some random dude to get a "lease transfer" (wtf). I don't care what city you are in, if you are doing that you are just plain stupid. See, this is what being an "adult" is.

Re:

[Dixie_Flatline]

No, see, being an adult is doing the appropriate thing at the appropriate time. Being an adult would've been asking, "What's a lease transfer? I've never heard of that before. Gee, I guess different jurisdictions have different rules." Lease transfers are incredibly common where I live. That you don't know or understand them doesn't mean that they don't exist, that they don't work, or that isn't how business is conducted here.

Re:Craigslist

[fred6666]

It depends on where you live. In Montreal, you almost always want to get a lease transfer, because it means the landlord can't raise the rent from what the previous person was paying.

This is a common misconception about rental laws in Quebec.
The reality is you can sign a lease for a $10000/month for a studio directly with the landlord. You can still go to the Régie du Logement and ask to pay what the previous guy was paying, plus a reasonable yearly increase (which should be about 1-2%).

I did it to reduce my monthly payment from something like $960 to $775 as a student.

Whether the lease is transferred or you sign a new one doesn't matter. You can still reject the price increase.

Re:

[Dixie_Flatline]

I *did* know you could reject the price increase, but I didn't know you could do it retroactively. I've always held it in my pocket in case my rent goes up exorbitantly, but finding someone and just transferring the lease at the price I want sounds much easier. :)

Re:

[random_nickname_pls]

When I was renting apartments in the '80's and '90's, I never used a realtor to find apartments or rental houses.

Re:

[110010001000]

Well then I understand why there are so many scammers. Congrats.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[barc0001]

> Am I the only adult here?

You spelled "luddite" wrong.

People have been using classifieds in the paper for decades to find rentals, and CL supplanted that about 15-20 years ago for most markets.

I don't know where you live, but where I'm from, it's possible there are rental agents to engage to find a property, but nobody I've ever met has used one. The realtors around here are concerned with selling expensive condos and houses. When your commission is 3% on a million dollar teardown crack shack, as a r

Re:

[jeff4747]

Am I the only adult here?

I'm doubtful you're an adult.

Realtors are not at all involved in rentals in most markets, because the commission on a lease is almost nothing in those markets.

It's almost like people do things differently in different places. Which an adult might understand.

Re:

[Aighearach]

Um no. There are entire companies that broker rentals. Am I the only adult here?

Ivan, we're talking about housing in the United States. No, you are not the only adult on planet Earth.

Re:

[jythie]

*blink* why would someone involve a realtor for renting an apartment? I do not think I have ever known someone to do that... I know such services exist, but I have never known anyone to be lazy enough, or enough of a sucker to actually use one.

Re:

[alvinrod]

Why the hell would I want to deal with a realtor if I want to rent an apartment for a year? I still have to spend time looking for something (in this case a realtor) and finding one that's going to do rentals. Even if they handle that, I'd only be directed to a subset of what's available in the city and I've pointless involved a middleman in the process which ensures I'm going to wind up paying more because they aren't working for free.

Jesus Christ indeed.

Re: Craigslist

[gl4ss]

Ok we get it now, you like to pay other people to read craigslist for you. Thats what you have been doing all your life.

Re:

[Bobartig]

In the bay area, craigslist is a must for apartment searching. You are doing yourself a huge disservice if you don't. Demand is so great here that you just post a craigslist ad and professionals just show up in hours ready to sign applications and background check authorizations. There are lots of landlords who are renting out part of a multi-unit, or renting an in-law unit and they don't go through commercial sites. I've seen lots of places based on Craigslist, and ultimately rented our last apt from a cra

Re:

[weilawei]

I've found most of my rental residences via Craigslist. I have been otherwise dissatisfied with the "normal" way of doing it. A fee for this, a fee for that, a fee for paying fees..

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Fly Swatter]

It only gets worse, the second part of that sentence includes 'rental opportunities'. Sounds more like marketing shtick from a marketing department, or some Hipster Doofus that fell into the grey market.

Bad way to search

[Way Smarter Than You]

If it isn't owned by a big corporate or is clearly a family rental then just don't. Real landlords won't drag you through a multi step process. They just want to get a decent renter ASAP and move on. Being a "security professional" won't help you here because you needed to know about rentals, not 0-day SSL flaws.

Re:

[sinij]

The last time I had to rent in SF bay area, the land lord yelled "Kalima" and tried to rip my heart out. The place is not too bad, but I have to commute over lava and a bunch of traps. But the rent is affordable and the neighbors are nice once you get to know them.

Re: Bad way to search

[perry64]

Think I live near you. The rail system is antiquated to the point of danger, but it's a thrilling start to the morning.

Red Flags

[OzPeter]

Whenever I interact with an unknown person on the internet and I ask them a direct, specific, non-intrusive, easily answerable question about the subject at hand and they choose to ignore it, a ginormous red flag immediately launches into the air.

Any legitimate person *wants* to do business with you, and will be generous with their responses.

Re:

[Maury Markowitz]

" I ask them a direct, specific, non-intrusive, easily answerable question about the subject at hand"

Hmmm. Example to use in this particular case?

I hope she reported this

[davidwr]

I hope she reported this to the proper people:

* Police. Even if they don't do anything, it will be in their annual statistics.
* Craigslist
* Airbnb
* Any other company that the scammers are using, except maybe those that obviously don't care. If the hosting service and DNS provider aren't scammer-friendly, contact them.

Re:

[sjames]

That's part of the problem. The police have no idea how to investigate this and nobody to pass it on to.

Craigslist MIGHT take the listing down and might terminate the account. The scammers will have a new one spun up in 5 minutes or less.

Airbnb: They're not actually involved as that wasn't actually their site. What do you expect them to do about it?

You might try alerting Google and various scam blocker operations so they can include the site in their bad lists. Of course, they'll probably get a new fake sit

Re:

[sjames]

They do have a tort action. But the bad guys are probably not in the U.S. so actually suing would be a losing proposition even if they can be found.

Point of the Matter

[SirAstral]

"Despite my experience as a security professional, I didn't realize this was a scam "

But you still identified one, no reason to feel bad about convincing mimicry. The harder someone works at subterfuge the more folks they can fool. The real problem are the people fooled by those barely working any subterfuge at all... "like two famous political parties in the USA" for example.

Do feel bad when you get fooled by something obvious otherwise... like everyone else... you are human and no matter how much experience or how much of a professional you are... you are still human. Learning to detect scams as much as they are learning to create more convincing ones!

"because you may already feel like you're being a burden on their time."

I can understand that people think this... but please shed that logic. They are offering a service and as a potential customer you should not feel inhibited by wasting their time. They signed up for it... them them have it, even if you wind up saying no at the end. That is the price of attracting attention for services, they know it! And if they have the nerve to get pissed off... unless it is obvious that you are wasting time, then you should not want to do business with them anyways!

Never Every let a business make you feel like you are a burden to them. They are there for your money, end stop. Make sure you get your moneys worth because they are not going to do that for you!

Re:

[sjames]

Exactly. Up until the fake Airbnb site, the whole thing was plausible. The key is catching the scam before sensitive information or money changes hands. Well done.

It is a bit disconcerting though, since it really does show a rare level of sophistication and it's easy to see how a reasonable person might not catch it in time, unlike so many of the scams out there.

Let's just hope Google wakes up and ceases their new war on the URL before they remove the last hint that something like this is a scam.

This is one

Re:

[thegarbz]

They are offering a service and as a potential customer you should not feel inhibited by wasting their time.

Some people have an inherent desire not to be a burden to others, which is understandable. Just because I'm being paid to do something doesn't mean a shit annoying customer wouldn't ruin my day.

Bad phishers are doing it intentionally

[Fross]

The scam in the article is well executed, that is for sure (until the url anyway). But one thing that is mentioned there, and often in general, is that it's easy to avoid phishing/scams because they have poor grammar, spelling and so forth.

This is correct but for the wrong reasons. The scammers are not too dumb to put together one coherent sentence, but rather they are hunting for the most gullible and dim targets intentionally.

If you send out a well-crafted scam and get lets say 10% replies, but 9.9% of them understand it is a scam after a few emails, you have wasted a lot of time and effort on people you won't scam. But if you send out what looks like a poorly-crafted scam and get only 0.1% replies, you know the people who did reply are, well, not the brightest crayon in the happy meal, and you've immediately found your marks. Scamming is a numbers game.

Re:

[sinij]

If you send out a well-crafted scam and get lets say 10% replies, but 9.9% of them understand it is a scam after a few emails, you have wasted a lot of time and effort on people you won't scam. But if you send out what looks like a poorly-crafted scam and get only 0.1% replies, you know the people who did reply are, well, not the brightest crayon in the happy meal, and you've immediately found your marks. Scamming is a numbers game.

Interesting, however I do not think this is intentional filtering by scammers. I honestly believe that broken English is the best most of these scammer could do, and if they had an ability to craft better responses they would. I also think that scamming works on a similar principle as telemarketing - more calls you make, more potential "sales" you get.

Re:

[Bobrick]

What you think is irrelevant, the OP was right about 99% of online scams.

Re:

[thegarbz]

But if you send out what looks like a poorly-crafted scam and get only 0.1% replies, you know the people who did reply are, well, not the brightest crayon in the happy meal, and you've immediately found your marks. Scamming is a numbers game.

You give them too much credit. Many scammers at the receiving end of a honeypot where the accounts are publicised use just as broken english and poor grammar when their game is up and they realise there's nothing more to be gained.

The reality is a lot of scammers are not only foreigners, but foreigners who don't hold legitimate jobs. It's the well crafted scams that are likely to have far better grasp of the language due to education.

(*Scratches Head*)

[ewhac]

He was sent a link that looked legitimate, but actually directed him to a phishing site. The image used to illustrate this is here [jeffreyladish.com].

However, the included header line says this is not a text/html document; it's text/plain. Therefore, the mail reader (GMail in this case) should not be doing any textual substitutions or markup parsing. My guess is that there's some Unicode glyph hacking going on with the slashes in the URL, but I'm not sure.

Anyone know what the deal is here?

Re:

[Anonymous Coward]

I would be willing to bet that GMail ignores MIME types if it sees what it thinks is HTML.

Re:

[weilawei]

Talk about an enormous security flaw, if so. Yes, let's just take this completely passive input and run it through a parser that does stuff!

No way that could ever go wrong, even for what's "just a markup format".

Re:

[almitydave]

When I send myself an email, Gmail includes both plaintext and HTML versions of the message (ignore the Slashdot URL helper in square brackets - that's not in the source):

Content-Type: multipart/alternative; boundary="------------4D616465596F754C6F6F6B21"
Content-Language: en-US

--------------4D616465596F754C6F6F6B21
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

I think this is the link you want:

http://www.youtube.com/ [youtube.com] <http://www.example.com>

Happy viewing

a plausible sense of urgency

[Culture20]

Any time a saleman tries to use urgency, cut them off and walk away. A saleman doesn't care if you get the deal over someone else, so they have no reason to let you know that. The only reason they try to create urgency is because there isn't another certain buyer/renter/rube, and *they* feel the urgency. Urgency as part of a hard-sell works, but it should always be a red flag to walk away even if the business is legit because it's proof that the salesman is willing to lie to make the sale, so you can't trust anything else they say.

Re:

[sjames]

More to the point, the salesman doesn't want you to think about the offer too hard.

Re:

[taustin]

Every time I have ever let someone hard sell me on anything, I have been ripped off.

It's been a long, long time since I've bought anything from a hard sell.

Re:

[ahodgson]

^ this

Rental opportunities in the SF bay area

[PPH]

A red flag right there. Unless it was a cardboard box in an alley.

I reached out to a beautiful looking rental place

[nuckfuts]

I'm not sure I would call this scam "phishing" when it was initiated by YOU reaching out.

The clincher

[Solandri]

If you don't want to read the whole thing, the way the scammers got your info was with a fake Airbnb site. When he asked for a link, he got one which showed:

https://airbnb.com/rooms-83710948/town/location/...

but actually directed to:

https://airbnb.com.rooms-83710948.town/location/...

This highlights two massive fails with decisions about how the Internet should operate.

• The addition of new Top Level Domains (in addition to .com, .net, .org, and the various country domains) is a veritable treasure trove for phishers. It's now much easier for them to create a fake site on a URL which looks like a legit URL. In this case, using the .town TLD allowed the phisher to create a hard-to-spot lookalike URL.
• The decision to make URL domain names little endian instead of big endian. USENET was created as big endian. The top level of the hierarchy came first, followed by lower levels. So for example you had a newsgroup named rec.arts.startrek. A recreation category, an arts subcategory, and the within it the startrek discussion newsgroup.

If domain name URLs had been made big endian, then the above link would've been:

https://com.airbnb/rooms-83710948/town/location/...

• Any phisher would be forced to register their phishing domain in the same TLD as the site they were trying to spoof. In this case .com. So you could protect .com domains from phishing simply by heightened policing of the .com domain. Other less "trustworthy" TLDs would always be the first thing in the URL, so people could automatically be cautious upon seeing them.
• com.airbnb would be owned by Airbnb. Anything coming after is totally under their control. So for example, com.airbnb.rooms would be a subdomain of com.airbnb, and thus automatically under the control of Airbnb. The best a phisher could do is register a new domain which started with "airbnb". So something like .com.airbnbrentals. But these type of fakes are much easier to spot.

Re:The clincher

[fintux]

However, if the policing would not be stricter, one could still have for example:

https://com.airbnb-rooms-8710948/town/location/...

And in this case, the difference to the original link is now only one character, and not two. If the new TLDs ever catch on, each of them would need to be stricter. But I think Firefox does one thing to help with detecting scams: it shows the domain and TLD in a highlight. In this case, Firefox would have sown "rooms-83710948.town" in highlight (Chrome, for example, would highlight the whole airbnb.com.rooms-83710948.town, and with a more subtle contrast, which can on a quick glance look like only the "airbnb.com" part was highlighted).

Re:

[fred6666]

the most important fail is the mail agent (gmail in this case) which allowed this substitution. Slashdot got this right by showing the domain name next to every link. Anyways, replacing URLs by text which look like an URL should be pretty easy to block.

Still, when trying to log on to the fake airbnb site, it should also fail or at least not show your name and picture.

Re:

[Aristos Mazer]

You make a good point (in my opinion). Maybe we should modify web browsers to highlight in bold the final phrase of the URL, so ".com" would be bold normally but ".town" would be bold here. That little shift might compensate for the URL design and new TLDs.

Re:

[atisss]

Then slashdot would be https://org.slashdot/ [org.slashdot] which wouldn't make any sense. We would probably be reading alternate site https://org.dotslash/ [org.dotslash] which again looses part meaning

Re:

[Anonymous Coward]

The simple solution is to simply refuse to have anything to do with web-pages-over-smtp. Turn that crap OFF and use text/plain only.

It is dead simple to spot the crap when you turn off the html ... the scams stand out like a sore thumb!

Scam details

[RJFerret]

Reading this I was like, where's the actual phishing/scam!?

Turns out they linked to airbnb.com.room-numbers.town while displaying an airbnb.com/rooms-numbers/town link in the email, which led to an interactive phishing page with booking possibility.

So it comes back to that importance of double-checking URLs (and browsers ALWAYS exposing plain urls to users).

Called the cops?

[AndyKron]

Hopefully you called the cops on these scammers Jeffrey.

You deserve to be scammed

[fred6666]

If you are ready to send $4300 to someone you've never met, for an apartment you've never seen.
No technological/Internet security knowledge is going to protect you if you don't get that.

Anyways you probably would have been covered by the credit card company, which likely have the power to get back its money from the vendor. So I still don't see how this scam could end up working. Perhaps for a small amount (such as $10) people wouldn't care but for $4300 I would definitely call my credit card company.

Trusted middleman?

[taustin]

"Finally, using Airbnb as the phishing site was clever, because it gave the impression of a trusted middleman."

Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha.

I need a good laugh.

Re:

[account_deleted]

Comment removed based on user account deletion

Troll Alert

[kittylu]

Good to know that many of the comments are trolling, and not constructive for advice.

Scam?

[reanjr]

I didn't read anything about any actual scam.

Bay Area

[stikves]

Bay Area housing market is crazy. There is almost no delay between a house is listed, and is no longer available. They offer an open house for a weekend, and before the week starts the lease is already signed. I remember reading that area has 99% occupancy rate.

On the other hand, in my last few moves, there were many craigslist listings with little information, and owners acting distant. One was very slow to respond to emails. Another did not give a phone number, or even address of the property, until they learned our info. So these things are normal.

However
- airbnb listing
- being "out of town"
- not giving the address / phone after initial email exchanges
- not offering to see the house

are really big red flags, even in this distorted Bay Area market.

[ One hint I can give to fellow renters here: Set up craigslist alerts, and apply before anybody else. This seems to get best results so far. ]

Some other red flags

[Firedog]

1. The email address ending in engineers-hibernia-chevron.ca is a *huge* red flag. I have never seen a legit corporate email address that looks like this - you might see something like first.last@engineering.hibernia.chevron.ca, but even that would be unusual.

Why go to all that trouble? A gmail address would have been perfectly fine here and would not arouse suspicion.

2. If you are going to the trouble of spoofing a well-known website, it helps to get the font right. People might not notice the extra serif

Interesting article

[Hemi Rodner]

I liked the read. It's good to know how to detect scams like that. I also liked the hair of the author. He is really gorgeous [jeffreyladish.com]. Isn't he?