I recently became the victim of a (luckily unsuccessful) phishing attack. A few weeks ago, I was browsing Craigslist and Zillow: I wanted to rent a place in the San Francisco Bay Area.
Nice photos of one place caught my attention, and I wanted to contact the landlords and find out more about it. Despite my experience as a security professional, I didn't realize I was being contacted by scammers until the third email! Below I will describe in detail the case, along with screenshots and alarm bells.
I am writing this to illustrate that well-prepared phishing attacks can be very convincing. Security guards often recommend paying attention to grammar and formatting to protect against phishing: supposedly, scammers have poor knowledge of the language and a careless attitude to visual design. It does work in some cases, but it didn't work in my case. The most sophisticated scammers write in good language and create the illusion of compliance with all written and unwritten rules, trying to justify the victim's expectations associated with this.
First letters: nothing to worry about
The craiglist ad said that all interested parties should call. However, the phone number itself was not there. I thought that this happened due to an oversight, since many ads sin the same way. Then I decided to write to the landlord and ask him for a number, as well as tell me my own.
In response, he wrote that I can contact him by email: [email protected]. You might think that this should already seem strange to me. However, the search for housing on such resources is often associated with some kind of trouble with phone numbers, mailboxes and strange workarounds. So I just wrote an email to this email and got this response:
The landlord asks quite typical questions: βWhen do you plan to move in?β, βHow many people will live with you?β, βWhat is your annual income?β
And then I didnβt realize that I was talking to scammers
The landlord said that he was often away from home for a long time, and now he would be away for two whole years. It seemed a little strange to me, but everyone has their own circumstances, you never know. Moreover, many landlords with whom I spoke said the same thing. And the questions posed to me in the letter seemed quite appropriate. So I continued the conversation and answered them.
Then I received this email:
βI donβt have a mobile connection here, I only have access to my work computer. We will continue to communicate via email if that's ok for you."
βHousing wants to see 3 people. I don't have time to meet each of you. I'll give you a link... there you can book your place (prepayment for 1 month's rent plus a refundable deposit). If you haven't used Airbnb before, it's easy enoughβ¦β
The alarm bells started here. After receiving this letter, I was already 80-90 percent sure that these were scammers
The first wake-up call: βI donβt have a mobile connection here, I only have access to my work computer. We will continue to communicate via email if that is ok for you." The second is the strange appearance of Airbnb in our conversation.
Why did they want me to pay through Airbnb?
The third call is too many photos confirming that this is a real person. But if the person is not fake, then why try so hard to convince me of this?
However, Airbnb really confused me. Here I already began to strongly suspect that I was communicating with scammers, but still, I was not sure. I knew their scam wouldn't work if I booked through Airbnb. Airbnb has a well-established dispute resolution process and I can quickly prove my case and get my money back.
I showed the ad to a friend and he said it was not a scam. We should have made a bet because I ended up being right. But then I decided to check if it was a scam or not, so I still asked for a link to Airbnb.
They asked to wait. Wait for what? And for some reason they advised me to find their ad on Airbnb on my own. This was also quite strange, and I did not see any point in it. If they were trying to scam me, then asking me to book their Airbnb was pointless.
But wait... I couldn't find it on Airbnb. And then I asked for the link again...
They sent her. It looked like the real thing and had the airbnb.com domain. But since this was not my first hunt for phishing scammers, I checked the real address of the link in the text version of the letter (URL Destination). As they say, find two differences:
Q.E.D!
This is true. This is a phishing link. Let's get a look.
This screenshot was taken a few days after my first investigation, before Chrome flagged this URL as dangerous. The phishing site is just perfect! It is interactive and looks convincing. Therefore, I can easily assume that those who do not doubt the origin of the URL can easily fall into the bait of scammers.
Great fake reviews: 5/5. Keep phishing, you're good at it!
I haven't tested the Request to Book button, but I'm sure it would lead me to a phishing page where my card details would be successfully stolen. Thanks, maybe next time.
Why am I so impressed?
The team of cheaters - and I'm sure it was a team - did a great job with a high level of detail. They have perfect English, their emails look professional, their phishing site looks like Airbnb. Engineers-hibernia-chevron.ca is redirected to hibernia.ca. This will instill confidence in those who want to check their domain.
I am even more impressed by their subtle psychological tricks. At each stage of interaction with me, they left one unclear point, which I had to clarify with them in order to move further towards my goal. It is much easier to feel something is wrong if the questions are asked to you. And if you ask questions, it becomes much more difficult to keep asking them about what seems strange to you. Because you've already asked enough and it's like you're taking time away from busy people.
At first, their ad did not include a phone number, and I had to ask for one. They then directed me to the Airbnb site and I asked for a link. But the first time they didn't give it, so I had to ask again. All this was planned in advance.
During the conversation, they also mentioned that other people were also interested in their housing, maintaining a plausible sense of the limited time when I have to make a decision. Finally, using Airbnb as a phishing site was smart because it gave the impression of being a trusted intermediary. At first I was really confused because I couldn't figure out how they were planning to steal my data. If they had simply asked for bank or credit card information at the initial stage of communication, it would have been easy to detect and expose their scam.
How to protect yourself from this? A Few Tips
When chatting with strangers online, always check the origin of their links! Usually, simply following the link does no harm, but in some cases this is enough. I wasn't 100% sure it was a phishing scam until I exposed the fake Airbnb URL.
Please be aware that sender email addresses may be spoofed and domain names may not match what they appear to be. That you received an email from [email protected], does not mean the FBI sent you the email.
Look for signs that someone is leading you by the nose. Are they trying to convince you that you are talking to real people? Are they trying to get you to act faster?
Use several ways to verify your identity. The first wake-up call was that the scammer allegedly can only communicate via email. If someone offers to chat remotely, arrange a video call, search and compare their accounts linkedin, facebook and so on.
I hope you enjoyed the preparation.
Follow our developer on Instagram
Source: habr.com