Hackers leveraging GDPR urgency to phish Airbnb users
Threats / Hackers exploiting GDPR urgency to target Airbnb users with phishing scam
4 May 2018
With GDPR, the European Union’s most comprehensive privacy legislation just twenty days away, businesses are rushing to ensure that they have “clear and precise” consent from customers to store and process their data.
The repermissioning campaign started off slowly but considering that lack of compliance could result in huge fines as well as loss of reputation, businesses are now displaying greater urgency in obtaining consent from their customers. According to a study carried out by Databoxer, close to 50% of all customers in the UK were contacted by brands till the end of March, asking for consent to keep sending marketing material.
Phishing emails masquerading as consent forms
Sensing an opportunity here, cyber criminals have found a novel way to lure customers to share their credit card details and passwords. They are now contacting people with phishing emails by masquerading as well-known businesses and asking recipients to click on links in such emails and to enter their personal information. These emails are designed in a way to make recipients believe that they contain information about new privacy changes ahead of GDPR.
According to researchers at threat intelligence firm Redscan who discovered the phishing scam, they observed the first signs of the scam when they came across phishing emails sent by fraudsters masquerading as Airbnb’s customer support. These emails asked recipients to click on certain links and to update their personal information so that they could continue using Airbnb’s services.
“The irony won’t be lost on anyone that cyber criminals are exploiting the arrival of new data protection regulations to steal people’s data. Using current events and trends as bait for social engineering attacks is a common tactic,” said Mark Nicholls, director of cyber security at Redscan.
“Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that’s clicking a link or divulging personal data. It’s a textbook phishing campaign in terms of opportunistic timing and having a believable call to action.
“Modern phishing campaigns are becoming increasingly difficult to spot and people need to be extra vigilant when opening emails and clicking links, since it’s important to ensure they originate from a trusted source,” he added.
Airbnb has taken cognizance of such phishing emails and has asked customers to contact it if they have received suspicious-looking emails from persons claiming to be from Airbnb’s customer support team. “We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites,” it said.
Since Airbnb is sending GDPR-related emails to customers as well, customers will need to be alert to spot the difference between a phishing email and a genuine one. According to Airbnb, the emails sent by it do not require customers to enter any personal information in order to continue enjoying the company’s services.
Commenting on the new phishing campaign launched by hackers to take advantage of the incoming GDPR, Tim Helming, director of product management at DomainTools, said that cyber criminals are just as attentive as the rest of us and are thus taking advantage of the fact that brands are engaging with customers to inform them about best practices in advance of GDPR.
“Phishers thrive on a lack of caution from their targets, so masking a scam as part of a legitimate flurry of emails comes as no surprise. Users who receive a GDPR email should be aware that personal details or credit card information should not be handed over, in any scenario, as part of an organization moving towards a GDPR compliant policy,” he added.
Paul Edon, technical director at Tripwire, said: “Hackers are getting better at creating ways to trick users, and this attack on Airbnb customers is evident of that. Phishing campaigns are extremely popular and aim to dupe people into giving away personal and financial information, which is why individuals should be vigilant of the links and attachments sent to them.
“Malicious cyber criminals are preying on human naivety which is why these attacks continue to be used. Granted, it is becoming difficult to track malicious attackers as they are getting better at mimicking valid content from reputable organisations. The best way people can help avoid future attacks is by educating themselves about the risks and consequences of clicking unknown links and attachments.
“Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance,” he added.