We analyze the ideal phishing case when renting an apartment

I recently fell victim to a (fortunately unsuccessful) phishing attack. A few weeks ago I wandered around Craigslist and Zillow: I wanted to rent a home in the San Francisco Bay area.
I was attracted by the nice photos of one place, and I wanted to contact the landlords and learn more about it. Despite my experience as a security specialist, I did not understand that scammers were talking to me, right up to the third letter! Below I will tell you in detail I will analyze the case along with screenshots and alarm calls.

I am writing this to illustrate that well-trained phishing attacks can look very convincing. Security guards often recommend paying attention to grammar and typography in order to protect themselves from phishing: allegedly scammers have poor knowledge of the language and careless attitude to visual design. In some cases, it really works, but it didn’t help in my case. The most sophisticated scammers write in a good language and create the illusion of compliance with all written and unwritten rules, trying to justify the victim’s expectations associated with this.

First letters: there’s nothing to worry about in general

An announcement on craiglist said all interested parties would call. However, the phone number itself was not there. I thought that this was due to an oversight, since many ads do the same. Then I decided to write to the landlord and ask him for a number, as well as tell mine.

In response, he wrote that I can contact him by email: davidgrinde@engineers-hibernia-chevron.ca. You might think that this should have seemed strange to me. However, the search for housing on such resources is often associated with some kind of troubles with phone numbers, mailboxes and strange workarounds. Therefore, I just wrote a letter to this email and received this answer:


The landlord asks quite typical questions: “When are you planning to call in?”, “How many people will live with you?”, “What is your annual income?”

And then I did not realize that I was talking with scammers

The landlord said that he often was far away from home for a long time, and now he would be away for two whole years. It seemed to me a little strange, but everyone has their own circumstances, you never know what. Moreover, many landlords with whom I spoke said the same thing. And the questions asked to me in the letter seemed quite appropriate. So I continued the conversation and answered them.

Then I received this letter:


“I don’t have mobile communications here, I have access only to my working computer. We will continue to communicate by email if this is ok for you. ”
“3 people want to see housing. I don’t have time to meet each of you. I will give you a link … there you can reserve a place for yourself (prepayment for 1 month rent, as well as a refundable deposit). If you’ve never used Airbnb before, it’s easy enough … ”

Wake-up calls began here. Having received this letter, I was already 80-90 percent sure that these are scammers

The first alarm bell: “I do not have mobile communications here, I have access only to my working computer. We will continue to communicate by email if this is ok for you. ” The second is the strange appearance of Airbnb in our conversation.

Why did they want me to pay through Airbnb?

The third bell is too many photos confirming that this is a real person. But if the person is not fake, then why try so hard to convince me of this?
However, Airbnb really baffled me. Then I began to strongly suspect that I was communicating with scammers, but nevertheless, I was not sure. I realized that their fraud would not work if I made a reservation through Airbnb. Airbnb has a well-established dispute resolution process and I can quickly prove my case and return the money.

I showed the ad to a friend and he stated that this was not a scam. We should bet, because in the end I was right. But then I decided to check whether this was a fraud or not, and so I still asked for a link to Airbnb.

Asked to wait. Wait for what? And for some reason they advised me to independently find their ad on Airbnb. It was also rather strange, and I did not see any sense in it. If they tried to fool me, then asking me to book their accommodation on Airbnb was pointless.
But stop … I could not find it on Airbnb. And then I asked for the link again …

They sent her. She looked real and had the domain airbnb.com. But since this was not my first hunt for phishing scammers, I checked the real address of the link in the text version of the letter (URL Destination). As they say, find two differences:

Q.E.D!

And there is. This is a phishing link. Let’s get a look.

This screenshot was taken a few days after my first investigation, then Chrome did not manage to mark this URL as dangerous. The phishing site is just perfect! It is interactive and looks convincing. Therefore, I can easily assume that scammers can easily fall for those who do not doubt the origin of the URL.

Excellent fake reviews: 5/5. Keep phishing, you’re doing fine!
I did not check the Request to Book button, but I’m sure that it would lead me to a phishing page where my card details would be successfully stolen. Thanks, maybe another time.

Why am I so impressed?

The scam team – and I’m sure it was a team – did a great job with a high level of detail. They have perfect English, their letters look professional, their phishing site looks like Airbnb. From the address engineers-hibernia-chevron.ca, a redirect to hibernia.ca is configured. This will inspire confidence in those who want to verify their domain.

I am even more impressed with their subtle psychological tricks. At each stage of interaction with me, they left one unclear moment, which I had to clarify with them in order to move further towards my goal. It is much easier to feel something is wrong if you are asked questions. And if you ask questions, it becomes much harder to keep asking them about things that seem strange to you. Because you already asked enough and as if taking time from busy people.

At first, their ad did not have a phone number, and I was forced to ask for it. Then they directed me to the Airbnb website and I asked for a link. But for the first time they did not give it, so again I was forced to ask. All this was planned in advance.

During the conversation, they also mentioned that other people were also interested in their housing, supporting a plausible feeling of a limited time when I had to make a decision. Finally, using Airbnb as a phishing site was prudent, as it seemed like a trusted intermediary. At first I was really confused because I could not understand how they plan to steal my data. If they simply requested information about a bank or a credit card at the initial stage of communication, it would be easy to detect and reveal their scam.

How to protect yourself from this? Some tips

When chatting with strangers online, always check the origin of their links! Usually, simply clicking on the link is not harmful, but in some cases this is enough. I was not 100% sure this was a phishing scam until I brought up the fake Airbnb URL.

Please be aware that sender email addresses may be tampered with and domain names may not match their display. Just because you received an email from researchations@fbi.gov does not mean that the FBI sent you an email.

Look for signs that someone is leading you by the nose. Are they trying to convince you that real people are talking to you? Are they trying to make you act faster?

Use several ways to verify your identity. The first alarm bell was that the fraudster supposedly can only communicate via email. If someone offers to communicate remotely, arrange a video call, look for and compare his accounts of linkedin, facebook and so on.

I hope you enjoyed the preparation.


Subscribe to our Instagram developer

Similar Posts

Leave a Reply