Phishing campaign aimed at Airbnb users leverages GDPR as a bait

Pierluigi Paganini May 05, 2018

Cybercriminals are targeting Airbnb users with phishing emails that urge the compliance with the new privacy regulation General Data Protection Regulation (GDPR).

The upcoming General Data Protection Regulation (GDPR)  privacy laws threaten with severe penalties to demand personal information from Airbnb users. The interest on the subject is very high among professionals and companies operating in various industries, it’s normal that crooks will try to take advantage of this situation.

Airbnb, like many other companies, is sending emails to inform users of changes in the privacy law according to the upcoming GDPR.

Cybercriminals are targeting Airbnb users demanding personal information and financial data referencing the GDPR.

Experts from Redscan are monitoring a spam campaign targeting Airbnb users with spam messages like the following one:

“This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States-based companies, like Airbnb in order to protect European citizens and companies,” reads the spam message according to the Redscan. 

airbnb gdpr phishing

The extent of the campaign is still unclear, crooks are targeting businesses’ email addresses taken online.

The phishing messages pretend to be a GDPR information request sent by Airbnb to hosts of the service.

“The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data,” Skynews cited Redscan Director of Cybersecurity Mark Nicholls Nicholls as saying.

The phishing emails use a simple as effective social engineering trick, the message informs hosts they can’t accept new bookings or contact potential guests until they accept their organizations are not compliance to the GDPR.

Malicious email uses a domain that could appear as legitimate, according to Redscan, in this campaign, hackers rather than the legitimate @airbnb.com domain used the @mail.airbnb.work domain.

If the victims click the malicious link embedded in the email, they redirected to phishing page designed to request victims both personal and financial information.

“Modern phishing campaigns are becoming increasingly difficult to spot and people need to be extra vigilant when opening emails and clicking links, since it’s important to ensure they originate from a trusted source.said Mark Nicholls, Redscan’s director of cybersecurity.

It is important to highlight, that GDPR notifications sent by companies to its customers don’t ask for users’ credentials, so be careful and stay vigilant.

Update May 08 2018

“These emails are a brazen attempt at using our trusted brand to try and steal users’ details and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on  [email protected] , who will fully investigate. We provide useful information on how to spot a fake email on our   help center   and work closely with external partners to report and help remove fake Airbnb websites.”  reads the Airbnb Spokesperson.

Top Tips to Spot a Real Airbnb Email:

Always check the sender’s email address. It may be made to look like Airbnb.com, but isn’t. A full list of official email aliases can be found   here.If you do click a link in the email, check the website address you are directed to. If it’s not Airbnb.com, it’s likely to be a copycat website. You can always enter   https://www.airbnb.com  i nto your browser to access our website.

We provide important information or actions for users in the Airbnb dashboard — which is located in Your Account.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – GDPR, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment