Phishing campaign aimed at Airbnb users leverages GDPR as a bait

Cybercriminals are targeting Airbnb users with phishing emails that urge the compliance with the new privacy regulation General Data Protection Regulation (GDPR).

The upcoming General Data Protection Regulation (GDPR) privacy laws threaten with severe penalties to demand personal information from Airbnb users. The interest on the subject is very high among professionals and companies operating in various industries, it’s normal that crooks will try to take advantage of this situation.

Airbnb, like many other companies, is sending emails to inform users of changes in the privacy law according to the upcoming GDPR.

Cybercriminals are targeting Airbnb users demanding personal information and financial data referencing the GDPR.

Experts from Redscan are monitoring a spam campaign targeting Airbnb users with spam messages like the following one:

“This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States-based companies, like Airbnb in order to protect European citizens and companies,” reads the spam message according to the Redscan.

The extent of the campaign is still unclear, crooks are targeting businesses’ email addresses taken online.

The phishing messages pretend to be a GDPR information request sent by Airbnb to hosts of the service.

“The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data,” Skynews cited Redscan Director of Cybersecurity Mark Nicholls Nicholls as saying.

The phishing emails use a simple as effective social engineering trick, the message informs hosts they can’t accept new bookings or contact potential guests until they accept their organizations are not compliance to the GDPR.

Malicious email uses a domain that could appear as legitimate, according to Redscan, in this campaign, hackers rather than the legitimate @airbnb.com domain used the @mail.airbnb.work domain.

If the victims click the malicious link embedded in the email, they redirected to phishing page designed to request victims both personal and financial information.

“Modern phishing campaigns are becoming increasingly difficult to spot and people need to be extra vigilant when opening emails and clicking links, since it’s important to ensure they originate from a trusted source.” said Mark Nicholls, Redscan’s director of cybersecurity.

It is important to highlight, that GDPR notifications sent by companies to its customers don’t ask for users’ credentials, so be careful and stay vigilant.

Update May 08 2018

“These emails are a brazen attempt at using our trusted brand to try and steal users’ details and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com , who will fully investigate. We provide useful information on how to spot a fake email on our help center and work closely with external partners to report and help remove fake Airbnb websites.” reads the Airbnb Spokesperson.

Top Tips to Spot a Real Airbnb Email:

Always check the sender’s email address. It may be made to look like Airbnb.com, but isn’t. A full list of official email aliases can be found here.If you do click a link in the email, check the website address you are directed to. If it’s not Airbnb.com, it’s likely to be a copycat website. You can always enter https://www.airbnb.com i nto your browser to access our website.

We provide important information or actions for users in the Airbnb dashboard — which is located in Your Account.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – GDPR, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.