Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Anatomy of a Rental Phishing Scam (jeffreyladish.com) 94

Jeffrey Ladish writes: I was recently the (unsuccessful) target of a very well-crafted phishing scam. As part of a housing search a few weeks ago, I was trawling craigslist and zillow for rental opportunities in the SF bay area. I reached out to a beautiful looking rental place to inquire about a tour. Despite my experience as a security professional, I didn't realize this was a scam until about the third email! Below I will account the story in excessive detail including screenshots. [...] The phishing team -- and given the work involved and the level of polish I bet it was a team -- ran a pretty tight operation. Their English was perfect, their emails looked professional, and their phishing site looked identical the original Airbnb site. The email domain "engineers-hibernia-chevron [dot] ca" redirected to "hibernia [dot] ca" to add legitimacy for those who took the extra step of looking up the domain.

I'm even more impressed by their subtle psychological tricks. Each step of the way, they left out information which required me to ask for something if I wanted to proceed. It's a lot easier to be on your guard when others are asking you for things. When you're the one doing the asking, it's even harder to say something when things look strange, because you may already feel like you're being a burden on their time. For the initial ad, they left out the phone number so I had to ask. After they told me I could look at their airbnb site, I had to ask for a link. Then, after they sent me to search on Airbnb's site, I had to ask for the link again! That was deliberately planned! Throughout these interactions, they mentioned there were other people looking, maintaining a plausible sense of urgency. Finally, using Airbnb as the phishing site was clever, because it gave the impression of a trusted middleman. I was genuinely thrown off at first, because I couldn't figure out how they were planning to steal my financial information. If they had just asked for bank or credit card information early on, their game would have been easy to spot.

This discussion has been archived. No new comments can be posted.

Anatomy of a Rental Phishing Scam

Comments Filter:
  • Craigslist (Score:5, Funny)

    by 110010001000 ( 697113 ) on Friday February 07, 2020 @02:38PM (#59702436) Homepage Journal

    "As part of a housing search a few weeks ago, I was trawling craigslist "
     
    Uh, what? Stopped reading there.

    • by sinij ( 911942 )
      I guess that is SV thing, where they have to go into Thunderdome and fight to death over available rentals.
      • I see. Someone modded me down, so it must be normal to use Craigslist to get a place to live. Carry on! Nothing can possibly go wrong.

        • by Anonymous Coward
          If one treats it like what it is (a free classifieds posting site), there shouldn't be too much issue. Someone could conduct similar scams via conventional classifieds as well. While harder and costlier to implement, the scammer can exploit a local paper's classifieds for its perceived trustworthiness. While I don't really disagree with the sentiment of your post, I find that dismissive attitudes are generally presented by one who is trying their hardest to avoid contributing anything meaningful to a conver
        • by Anonymous Coward
          Uh yeah? Unless things have changed a lot recently, yes many many people use Craigslist to post rentals. Do you still look at classified ads in the newspaper, Grandpa?
        • I got an $80K/year job as a technical writer (In a low cost of living area) on Craigslist. Wouldn’t hesitate use it to find a place to live.

    • What do you suggest using? I've used craigslist several times throughout my life when searching for housing accommodations and have found that it reliably offers the best overall idea of what's out there and available, including from smaller landlords that can't afford to piss away a lot of money on a fancy website, SEO cruft, or a social media presence on platforms I'll never use.
    • by Bobartig ( 61456 )

      In the bay area, craigslist is a must for apartment searching. You are doing yourself a huge disservice if you don't. Demand is so great here that you just post a craigslist ad and professionals just show up in hours ready to sign applications and background check authorizations. There are lots of landlords who are renting out part of a multi-unit, or renting an in-law unit and they don't go through commercial sites. I've seen lots of places based on Craigslist, and ultimately rented our last apt from a cra

    • I've found most of my rental residences via Craigslist. I have been otherwise dissatisfied with the "normal" way of doing it. A fee for this, a fee for that, a fee for paying fees..

    • Comment removed based on user account deletion
    • It only gets worse, the second part of that sentence includes 'rental opportunities'. Sounds more like marketing shtick from a marketing department, or some Hipster Doofus that fell into the grey market.
  • If it isn't owned by a big corporate or is clearly a family rental then just don't. Real landlords won't drag you through a multi step process. They just want to get a decent renter ASAP and move on. Being a "security professional" won't help you here because you needed to know about rentals, not 0-day SSL flaws.
    • by sinij ( 911942 )
      The last time I had to rent in SF bay area, the land lord yelled "Kalima" and tried to rip my heart out. The place is not too bad, but I have to commute over lava and a bunch of traps. But the rent is affordable and the neighbors are nice once you get to know them.
  • Red Flags (Score:3, Informative)

    by OzPeter ( 195038 ) on Friday February 07, 2020 @02:53PM (#59702478)

    Whenever I interact with an unknown person on the internet and I ask them a direct, specific, non-intrusive, easily answerable question about the subject at hand and they choose to ignore it, a ginormous red flag immediately launches into the air.

    Any legitimate person *wants* to do business with you, and will be generous with their responses.

    • " I ask them a direct, specific, non-intrusive, easily answerable question about the subject at hand"

      Hmmm. Example to use in this particular case?

  • I hope she reported this to the proper people:

    * Police. Even if they don't do anything, it will be in their annual statistics.
    * Craigslist
    * Airbnb
    * Any other company that the scammers are using, except maybe those that obviously don't care. If the hosting service and DNS provider aren't scammer-friendly, contact them.

    • by sjames ( 1099 )

      That's part of the problem. The police have no idea how to investigate this and nobody to pass it on to.

      Craigslist MIGHT take the listing down and might terminate the account. The scammers will have a new one spun up in 5 minutes or less.

      Airbnb: They're not actually involved as that wasn't actually their site. What do you expect them to do about it?

      You might try alerting Google and various scam blocker operations so they can include the site in their bad lists. Of course, they'll probably get a new fake sit

  • by SirAstral ( 1349985 ) on Friday February 07, 2020 @02:55PM (#59702490)

    "Despite my experience as a security professional, I didn't realize this was a scam "

    But you still identified one, no reason to feel bad about convincing mimicry. The harder someone works at subterfuge the more folks they can fool. The real problem are the people fooled by those barely working any subterfuge at all... "like two famous political parties in the USA" for example.

    Do feel bad when you get fooled by something obvious otherwise... like everyone else... you are human and no matter how much experience or how much of a professional you are... you are still human. Learning to detect scams as much as they are learning to create more convincing ones!

    "because you may already feel like you're being a burden on their time."

    I can understand that people think this... but please shed that logic. They are offering a service and as a potential customer you should not feel inhibited by wasting their time. They signed up for it... them them have it, even if you wind up saying no at the end. That is the price of attracting attention for services, they know it! And if they have the nerve to get pissed off... unless it is obvious that you are wasting time, then you should not want to do business with them anyways!

    Never Every let a business make you feel like you are a burden to them. They are there for your money, end stop. Make sure you get your moneys worth because they are not going to do that for you!

    • by sjames ( 1099 )

      Exactly. Up until the fake Airbnb site, the whole thing was plausible. The key is catching the scam before sensitive information or money changes hands. Well done.

      It is a bit disconcerting though, since it really does show a rare level of sophistication and it's easy to see how a reasonable person might not catch it in time, unlike so many of the scams out there.

      Let's just hope Google wakes up and ceases their new war on the URL before they remove the last hint that something like this is a scam.

      This is one

    • They are offering a service and as a potential customer you should not feel inhibited by wasting their time.

      Some people have an inherent desire not to be a burden to others, which is understandable. Just because I'm being paid to do something doesn't mean a shit annoying customer wouldn't ruin my day.

  • by Fross ( 83754 ) on Friday February 07, 2020 @02:55PM (#59702494)

    The scam in the article is well executed, that is for sure (until the url anyway). But one thing that is mentioned there, and often in general, is that it's easy to avoid phishing/scams because they have poor grammar, spelling and so forth.

    This is correct but for the wrong reasons. The scammers are not too dumb to put together one coherent sentence, but rather they are hunting for the most gullible and dim targets intentionally.

    If you send out a well-crafted scam and get lets say 10% replies, but 9.9% of them understand it is a scam after a few emails, you have wasted a lot of time and effort on people you won't scam. But if you send out what looks like a poorly-crafted scam and get only 0.1% replies, you know the people who did reply are, well, not the brightest crayon in the happy meal, and you've immediately found your marks. Scamming is a numbers game.

    • by sinij ( 911942 )

      If you send out a well-crafted scam and get lets say 10% replies, but 9.9% of them understand it is a scam after a few emails, you have wasted a lot of time and effort on people you won't scam. But if you send out what looks like a poorly-crafted scam and get only 0.1% replies, you know the people who did reply are, well, not the brightest crayon in the happy meal, and you've immediately found your marks. Scamming is a numbers game.

      Interesting, however I do not think this is intentional filtering by scammers. I honestly believe that broken English is the best most of these scammer could do, and if they had an ability to craft better responses they would. I also think that scamming works on a similar principle as telemarketing - more calls you make, more potential "sales" you get.

    • But if you send out what looks like a poorly-crafted scam and get only 0.1% replies, you know the people who did reply are, well, not the brightest crayon in the happy meal, and you've immediately found your marks. Scamming is a numbers game.

      You give them too much credit. Many scammers at the receiving end of a honeypot where the accounts are publicised use just as broken english and poor grammar when their game is up and they realise there's nothing more to be gained.

      The reality is a lot of scammers are not only foreigners, but foreigners who don't hold legitimate jobs. It's the well crafted scams that are likely to have far better grasp of the language due to education.

  • (*Scratches Head*) (Score:4, Interesting)

    by ewhac ( 5844 ) on Friday February 07, 2020 @02:59PM (#59702508) Homepage Journal

    He was sent a link that looked legitimate, but actually directed him to a phishing site. The image used to illustrate this is here [jeffreyladish.com].

    However, the included header line says this is not a text/html document; it's text/plain. Therefore, the mail reader (GMail in this case) should not be doing any textual substitutions or markup parsing. My guess is that there's some Unicode glyph hacking going on with the slashes in the URL, but I'm not sure.

    Anyone know what the deal is here?

    • by Anonymous Coward

      I would be willing to bet that GMail ignores MIME types if it sees what it thinks is HTML.

      • Talk about an enormous security flaw, if so. Yes, let's just take this completely passive input and run it through a parser that does stuff!

        No way that could ever go wrong, even for what's "just a markup format".

    • When I send myself an email, Gmail includes both plaintext and HTML versions of the message (ignore the Slashdot URL helper in square brackets - that's not in the source):


      Content-Type: multipart/alternative; boundary="------------4D616465596F754C6F6F6B21"
      Content-Language: en-US

      --------------4D616465596F754C6F6F6B21
      Content-Type: text/plain; charset=utf-8; format=flowed
      Content-Transfer-Encoding: 7bit

      I think this is the link you want:

      http://www.youtube.com/ [youtube.com] <http://www.example.com>

      Happy viewing

  • by Culture20 ( 968837 ) on Friday February 07, 2020 @03:08PM (#59702528)
    Any time a saleman tries to use urgency, cut them off and walk away. A saleman doesn't care if you get the deal over someone else, so they have no reason to let you know that. The only reason they try to create urgency is because there isn't another certain buyer/renter/rube, and *they* feel the urgency. Urgency as part of a hard-sell works, but it should always be a red flag to walk away even if the business is legit because it's proof that the salesman is willing to lie to make the sale, so you can't trust anything else they say.
  • by PPH ( 736903 ) on Friday February 07, 2020 @03:49PM (#59702666)

    A red flag right there. Unless it was a cardboard box in an alley.

  • I'm not sure I would call this scam "phishing" when it was initiated by YOU reaching out.
  • The clincher (Score:5, Interesting)

    by Solandri ( 704621 ) on Friday February 07, 2020 @03:53PM (#59702684)
    If you don't want to read the whole thing, the way the scammers got your info was with a fake Airbnb site. When he asked for a link, he got one which showed:

    https://airbnb.com/rooms-83710948/town/location/...

    but actually directed to:

    https://airbnb.com.rooms-83710948.town/location/...

    This highlights two massive fails with decisions about how the Internet should operate.

    • The addition of new Top Level Domains (in addition to .com, .net, .org, and the various country domains) is a veritable treasure trove for phishers. It's now much easier for them to create a fake site on a URL which looks like a legit URL. In this case, using the .town TLD allowed the phisher to create a hard-to-spot lookalike URL.
    • The decision to make URL domain names little endian instead of big endian. USENET was created as big endian. The top level of the hierarchy came first, followed by lower levels. So for example you had a newsgroup named rec.arts.startrek. A recreation category, an arts subcategory, and the within it the startrek discussion newsgroup.

    If domain name URLs had been made big endian, then the above link would've been:

    https://com.airbnb/rooms-83710948/town/location/...

    • Any phisher would be forced to register their phishing domain in the same TLD as the site they were trying to spoof. In this case .com. So you could protect .com domains from phishing simply by heightened policing of the .com domain. Other less "trustworthy" TLDs would always be the first thing in the URL, so people could automatically be cautious upon seeing them.
    • com.airbnb would be owned by Airbnb. Anything coming after is totally under their control. So for example, com.airbnb.rooms would be a subdomain of com.airbnb, and thus automatically under the control of Airbnb. The best a phisher could do is register a new domain which started with "airbnb". So something like .com.airbnbrentals. But these type of fakes are much easier to spot.
    • Re:The clincher (Score:4, Insightful)

      by fintux ( 798480 ) on Friday February 07, 2020 @04:31PM (#59702832)

      However, if the policing would not be stricter, one could still have for example:

      https://com.airbnb-rooms-8710948/town/location/...

      And in this case, the difference to the original link is now only one character, and not two. If the new TLDs ever catch on, each of them would need to be stricter. But I think Firefox does one thing to help with detecting scams: it shows the domain and TLD in a highlight. In this case, Firefox would have sown "rooms-83710948.town" in highlight (Chrome, for example, would highlight the whole airbnb.com.rooms-83710948.town, and with a more subtle contrast, which can on a quick glance look like only the "airbnb.com" part was highlighted).

    • the most important fail is the mail agent (gmail in this case) which allowed this substitution. Slashdot got this right by showing the domain name next to every link. Anyways, replacing URLs by text which look like an URL should be pretty easy to block.

      Still, when trying to log on to the fake airbnb site, it should also fail or at least not show your name and picture.

    • You make a good point (in my opinion). Maybe we should modify web browsers to highlight in bold the final phrase of the URL, so ".com" would be bold normally but ".town" would be bold here. That little shift might compensate for the URL design and new TLDs.
    • by atisss ( 1661313 )

      Then slashdot would be https://org.slashdot/ [org.slashdot] which wouldn't make any sense. We would probably be reading alternate site https://org.dotslash/ [org.dotslash] which again looses part meaning

    • by Anonymous Coward

      The simple solution is to simply refuse to have anything to do with web-pages-over-smtp. Turn that crap OFF and use text/plain only.

      It is dead simple to spot the crap when you turn off the html ... the scams stand out like a sore thumb!

  • Reading this I was like, where's the actual phishing/scam!?

    Turns out they linked to airbnb.com.room-numbers.town while displaying an airbnb.com/rooms-numbers/town link in the email, which led to an interactive phishing page with booking possibility.

    So it comes back to that importance of double-checking URLs (and browsers ALWAYS exposing plain urls to users).

  • by AndyKron ( 937105 ) on Friday February 07, 2020 @04:05PM (#59702734)
    Hopefully you called the cops on these scammers Jeffrey.
  • If you are ready to send $4300 to someone you've never met, for an apartment you've never seen.
    No technological/Internet security knowledge is going to protect you if you don't get that.

    Anyways you probably would have been covered by the credit card company, which likely have the power to get back its money from the vendor. So I still don't see how this scam could end up working. Perhaps for a small amount (such as $10) people wouldn't care but for $4300 I would definitely call my credit card company.

  • by taustin ( 171655 ) on Friday February 07, 2020 @05:50PM (#59703064) Homepage Journal

    "Finally, using Airbnb as the phishing site was clever, because it gave the impression of a trusted middleman."

    Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha.

    I need a good laugh.

  • Good to know that many of the comments are trolling, and not constructive for advice.
  • I didn't read anything about any actual scam.

  • by stikves ( 127823 ) on Friday February 07, 2020 @11:15PM (#59703944) Homepage

    Bay Area housing market is crazy. There is almost no delay between a house is listed, and is no longer available. They offer an open house for a weekend, and before the week starts the lease is already signed. I remember reading that area has 99% occupancy rate.

    On the other hand, in my last few moves, there were many craigslist listings with little information, and owners acting distant. One was very slow to respond to emails. Another did not give a phone number, or even address of the property, until they learned our info. So these things are normal.

    However
    - airbnb listing
    - being "out of town"
    - not giving the address / phone after initial email exchanges
    - not offering to see the house

    are really big red flags, even in this distorted Bay Area market.

    [ One hint I can give to fellow renters here: Set up craigslist alerts, and apply before anybody else. This seems to get best results so far. ]

  • 1. The email address ending in engineers-hibernia-chevron.ca is a *huge* red flag. I have never seen a legit corporate email address that looks like this - you might see something like first.last@engineering.hibernia.chevron.ca, but even that would be unusual.

    Why go to all that trouble? A gmail address would have been perfectly fine here and would not arouse suspicion.

    2. If you are going to the trouble of spoofing a well-known website, it helps to get the font right. People might not notice the extra serif

  • I liked the read. It's good to know how to detect scams like that. I also liked the hair of the author. He is really gorgeous [jeffreyladish.com]. Isn't he?

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...