Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Be aware of phishing at airbnb
220 points by jalapl on July 21, 2014 | hide | past | favorite | 73 comments
Having heard good opinions about Airbnb, I recommended it to my girlfriend looking for holiday accommodation in Spain. I personally have never used Airbnb before but having good experience both with 9flats and booking.com so far, I did not expect anything bad could actually happen. Airbnb claims they verify all of their hosts as the other similar websites, so booking a home should be as easy as possible.

After she had chosen a perfect home nearby Barcelona, she started having a conversation with the host. For users' convenience Airbnb provides a possibility to answer the messages sent from their website directly via email. It indeed makes the whole conversation easier (you do not need to log in every time you want to answer the message) however it increases the chance of fraud bookings.

The host was indeed sending the answers via Airbnb until he sent last one including booking details (usual emails from airbnb are sent from express@airbnb.com, his email was express@e-airbnb.com). Provided URL was also redirecting e-airbnb.com instead of airbnb.com. The website was looking exactly as airbnb does and included all booking and payment details. All the other links available on this fraud website were redirecting to real airbnb website.

Unfortunately, she has done the payment via Moneygramm (as it was described in the payment details) and since then there has been no contact with the host.

Airbnb has been also informed about this issue. As they guarantee hosts' verification I would expect them to get more interested in this case. Sadly, it took them 2 days to apologise and it seems like they do not take any responsibility for their hosts ....

Hopefully, thanks to this post at least one person will save his money while booking on airbnb. We have lost almost 2k euro ...



Also watch out for a bait and switch on Airbnb. I'm actually sitting in a nice apt now from airbnb. So I am happy with it. But there is another host who is trying to get me for an $1800 cleaning fee. What happens is you book a room in advance for a month. Then the host waits until 12 hours before the point of no cancelation to say "its not available but there is another one for a lot less cost that is a lot worse.". You say no before the cutoff window but then he lowers the cost to bargain basement levels. You accept. And he accepts by booking a different apartment under the haggling text message agreement. Naturally you move to requisition the disagreement as he said he would. But he stalls until the last minute and unsweetens the deal until you cancel. Boom. He has your money and can point to the fine print and his strict cancellation policy that the trouble he went through to clean the room and get it " fixed up" justifies the $1800 charge for a room I didn't set foot in.

Moral if the story. If you don't get prompt reply and if any changes occur after booking. Stay away from that host. They are fishing for free money playing the rules of Airbnb.

Airbnb is supposedly going to get back to me about this disagreement, and there is a ticket to deal with it. But its been 5 days after the event and I pinged them twice with email. My other option may be to contest the charge on my credit card. Scammers are everywhere that rules and large sums of money can be found. And many of those scammers will be right there along side you jockeying for victimhood status.


Just call your bank and you'll get your money back immediately. The chargeback process is hugely biased in favor of the cardholder. You can even win the chargeback if you had stayed in the place and it was not as advertised. If you start filing a lot of chargebacks, though, you'll likely be flagged by the card network.


Just talk to Airbnb. They have really good customer support and if a host is doing anything fishy they will offer full refunds with an additional credit for a future booking.

I encountered a similar situation in Portland a couple weeks ago and Airbnb was great!


@everyone: Renting your place through airbnb is most probably illegal in Barcelona. Please double or triple-check any offers you get because you must be registered (and pay) if you want to rent your place to tourists [1] here.

@poster: Contact me (mynickname at la3 dot org) if you are running short on money because of the scam and need a place to stay for a few days. This is a couchsurfing style offer, not airbnb style.

[1] http://www.theguardian.com/technology/2014/jul/07/airbnb-fin...


Most of airbnb's listings in many of their most popular cities are done illegally. It's kind of the m.o. of airbnb. Take a look at Manhattan and do a search for 'whole apt'. Every single one of those is illegal unless the owner has a bed and breakfast license (the one or two that do will mention the fact that they do). When you run the numbers by searching the 'own room' and 'shared room', you realize that over 50% of airbnb's Manhattan listings are illegal. So, why would you trust a company that runs a mostly-illegal apartment rental service?


why would you trust a company that runs a mostly-illegal apartment rental service?

Because the law hasn't caught up to reality yet.

Airbnb has made a significant positive difference in my own life. I would've been in a bad spot if not for the places I found via Airbnb. No idea whether the transactions were legal, but in the end I found a place to live and the host found a tenant. Win-win.

The problem is when people rent these places and then throw loud parties. The neighbors' rights are violated in that case. I don't know of a good solution, but I don't think it's worth sacrificing the entire platform due to that problem.

EDIT: It seems like if people here were given the option of either casting me out into the street or letting me rent an Airbnb apartment, some would honestly and truly choose the former.

In the part of America I was in, you can't get an apartment without proof of employment, unless you have more than $15k in the bank. (Something like a year or two worth of rent. I forget the exact amount.) I was between jobs at the time, and needed a place to stay to get another job. So, which illegal act would you have me do: Get a friend to say they were "employing" me as a consultant, or rent an apartment via Airbnb? Why would you be okay with the former, but not the latter? And if you're okay with neither, then what would you have me do?


> The problem is when people rent these places and then throw loud parties. The neighbors' rights are violated in that case. I don't know of a good solution, but I don't think it's worth sacrificing the entire platform due to that problem.

The thing that frustrates me is that there are pretty obvious solutions, actually:

1) AirBnB needs to provide a service where anyone can check to see if a building has any AirBnB units in it. Then they need to be able to file complaints about the unit.

2) AirBnB needs to require written permission from the landlord of the property.

1) seems completely feasible to implement for me, and I'm pissed they haven't yet. The only problem is once they have the complaint, they'd pretty much be required to notify the landlord which leads us to 2) which also seems feasible, but would obviously obliterate their market. Ultimately they've overextended themselves on that front, and either they will be successful lobbying change, or a company that figures out how to do what they are doing while making peace with landlords and the hotel lobby will come along.


1) strikes me as a ready-made weapon for hotels to harass AirBnBers.


Why would anyone want to harass AirBnBers?


Why do you think the two are mutually exclusive? You can easily have rented a room or a couch in an occupied apartment through craigslist, airbnb, etc. That's legal here in NYC and likely where you are.

What isn't legal (here in NYC and many other places) is having someone rent out a completely unlicensed, unregulated, uninspected room as a 'hotel', which is what airbnb is mostly for.

Funnily, airbnb's silly new commercials here in NYC only touch on the folks who rent out a room in their apartment. They don't mention the illegal full-apartment rentals that are the majority of their business at all.


> The problem is when people rent these places and then throw loud parties.

I don't know who cares of a party in a flat. Noisy parties existed before airbnb.

To me, the problem is that since there is no regulation, renting a flat for short periods allows to make much more money than renting it for a long time to a reasonable price. It contributes to the shortage of flats to rent supply, the rise of the rent prices and gentrification.


There tends to be a difference between the kinds of parties thrown by someone who is staying in a place for a weekend versus someone who has to face their neighbors days/weeks after said party.

Parties are one problem. I'd be more fearful of theft and destruction of property... and a general discomfort in having complete strangers coming and going from my building. That said, it seems extremely rare that an Airbnb guest would engage in the kind of behavior that would generate headlines.


Did you live in the streets before Airbnb came out?


No, but I was lucky that Airbnb existed when I needed it.


I was in a bad place until I discovered bank robbery. My life has been one big party ever since.

There's just a small matter that the law hasn't caught up to reality yet.


Yes because clearly bank-robbing is exactly the same as subletting.


Just to clarify, the naked e-airbnb request indeed redirects to airbnb website. The generated by the cheater URL was the only one working fine.

It had the same layout as the whole airbnb website and every url available on that website was also redirecting to real airbnb website .... except the one with payment and booking details ...


We just had a run in with a scam for a place in Majorca on Airbnb. The place looked amazing and was reasonably priced for what it was so I reverse image searched the pictures and it turns out they had lifted them from a resort in the Carribean. The google maps view of the place lined up nicely with the other property so they'd obviously put some time into choosing the right fake. Luckily we cancelled our booking within 15 mins. To their credit airbnb have taken it down pretty quickly.


A couple of months ago I tried to book an apartment for a 4-day weekend in Ibiza, Spain, for this very weekend. I was booking a big apartment, a place that could accommodate 6 couples. After finding two reasonably priced places (+€5,000 stay), and placing the respective face-value offers, I got told by both hosts to increase the price. One of them even asked me what my budget was. Really?!

I immediately contacted Airbnb to tell them what had happened, they apologised. Not only is that practice misleading to users and other hosts in the area, but I'm pretty sure it is illegal. The stock offer in the Mediterranean is very poor at Airbnb.

We finally went for a hotel, where the price was the one advertised. I haven't lost faith in Airbnb's business model, but unless they show they are out their catching fraudsters and other scams artists, I doubt I'll go back any time soon.


I've generally found AirBnB not to be useful in big vacation spots (Spanish coast or islands, the Caribbean, Mexican coast, etc.). There are a lot of scammy and mislabeled places, and even the legit places are for the most part just a regular commercial property that's listed itself on AirBnB along with everywhere else. So I stick to just using something like booking.com to find those places.

The unique aspect of AirBnB to me is when regular people who aren't in the professional hospitality business are renting out a spare room, or renting out their apartment when they're gone. But you rarely find those in places like Majorca; that's more for if you're visiting somewhere with a bigger population of actual residents, like Seattle or Athens.


For reverse image search, I often use tineye.com What else is there and what did you use?


I used to use tineye but google has enabled reverse image search and being google it has far more results. Go to google images and click the camera button in the search box. It's really useful for detecting scams like this, used to for an email flat scam in New Zealand too.


This works well:

firefox: https://addons.mozilla.org/en-US/firefox/addon/image-search-...

chromium: https://chrome.google.com/webstore/detail/image-search-optio...

It handles Tineye, Google, Yandex, Baidu, and others via right-click menu.


chrome > right click on image > search with google images


Whoa, how long has that been there?


Google Image Search supports it as well.


google has one


I was looking for apartments in Manhattan recently, and saw numerous listings like this, where the apartment looked considerably better than others in the area which were even more expensive. It doesn't look that realistic, though I can imagine if you hadn't worked out the price -> quality factor for the area you might be duped.

Agree that AirBNB is quite good at taking them down pretty fast, and I reported the ones I could see for being misleading.


Wait, I've stayed in several AirBnB places, and you always pay with credit card through the website, where they act as an escrow agent. Wouldn't a request to pay through any off-site means be a massive red flag?


Yes. Sounds like OP's girlfriend wanted to circumvent Airbnb's escrow service to (presumably) drop the associated fees.


Or maybe she hadn't used Airbnb before, and was just following the instructions that got emailed to her.


It's stated in the post he recommended it to her so she has probably never used the service before.


be sure to report this to moneygram[1]

[1]https://www.moneygram.com/wps/portal/moneygramonline/home/Cu...


That sucks, but:

- It's not really Airbnb's fault - not much you can do about this aside from apologise and remove the listing (which I assume they did, or will at least investigate)

- You will get scammed if you use MoneyGram. It's the equivalent of sending an envelope full of banknotes. Don't do it!


One thing to keep in mind is the host/owner may have been entirely fake from the start, or they may be just another victim that got their account hijacked and then used to scam you. In other words, the host might be real and properly verified, but the scammer took their account.

You might want to make sure that your girlfirend changes the password on her own account, just in case she did a sign-in on the fake site.

Sorry to hear about your loss.


I've had similar phishing attempts on my Airbnb account. The service seems to be a target for it. A few tips:

Always check the URL before you log-in to any site. Don't ever send money through unverified means (mail, western union, etc) for any transaction over the Internet. If you use Gmail, report phishing emails to them. Report phishing attempts to Airbnb.


The payment is done through the Airbnb site, not moneygramm

Seems like a scam that's avoidable

EDIT: Yes, I believe some people still get caught by it, looking at the AirBnb site they should make this information more prominent

This is very hidden: https://www.airbnb.ca/help/article/51


One of my friends was caught out by a similar scam last year. There is plenty of prior art for airbnb to look at when developing a safe platform for people to communicate through. At the very least they should disallow exchange of e-mail / non-airbnb websites via the platform communication channels.


> At the very least they should disallow exchange of e-mail / non-airbnb websites via the platform communication channels.

They do this, and it's a pain in the arse for regular users.

I've only just got back from a 2 week stay in Italy, and unfortunately one of the glasses broke in the dishwasher. I found the replacement online and after apologising to the host offered to replace the glass with an identical at my inconvenience.

Damned if we could have that conversation about the replacement on AirBNB though. We were both unable to share links to shops from which the glasses are available. Eventually having to agree to take the conversation off of AirBNB so we could resolve it.

It's unsatisfactory though as this is the very type of conversation that both the host and myself want recorded through AirBNB so that if anything did go awry AirBNB would have an evidence trail.

Far better would be to do a URL forwarder in the style of Twitter's t.co and to monitor all outbound URLs and allow AirBNB to block domains and phishing sites centrally from each and every message sent (into the future too), whilst allowing all legitimate conversation and link sharing to occur.

This would even allow AirBNB to inform customers who visit URLs that are suspected of phishing, and detect accounts sharing such links much sooner.


The block on URLs is actually there to prevent prospective guests and hosts from just arranging an informal booking off site and cutting AirBNB out of the picture. It's the same reason you can't send phone numbers or email addresses in chat messages until after they pay.


OK.

So after we pay... it would be good if we could actually converse fully and share links.

The host also said that she had sent me a link to a web page with house rules that describes where recycling and garbage goes, etc. I never received this, and I presume she had just put the link in a message, hit send, and AirBNB removed the link and nothing else happened.

Once we pay, the conversation should be unrestricted.


I don't understand how this scam was realised then. They must've managed to get access to the applicants true email address somehow?


My comment wasn't a scam, just frustration at overly strict policies inconveniencing the vast majority of good users.

And it's not hard to get someone's real email once you have a few clues. Such as their profile image/avatar... just hit tineye.com or Google Image Search, and find out the sources, look at profile info on LinkedIn or Facebook, look at other web links... find almost anything (CV, blog, custom domain, Twitter, HN profiles) and you'll get to the email address very quickly.

The time between start and end of that is minutes.


@Poster and @Everyone: I just returned on July 1st from traveling through 8 different countries over a month's span, and AirBnB'd the whole trip. A fellow traveler also experienced the same tragic incident in Berlin. He came to the conclusion that he was logged in to the website via safari on an insecure network and was redirected to the fake site. Its a serious bummer but there was nothing he could do. The best and most secure way to use AirBnB is through their mobile app, not by login into their "site" on an insecure WiFi NetWork. Search through hosts and seriously read their reviews. I contacted everyone before hand and would not book unless I received a response.

@everyone: I returned from Barcelona three weeks ago. I rented a very nice apartment in the heart of the Gothic Quarter using AirBnB. As far as AirBnB being illegal, I don't think that is correct. I have many friends who have studied abroad and when they would leave Spain to go travel they would throw their apartment on AirBnB to make a couple bucks. Like with traveling anywhere, just be careful.


Does the AirBnB mobile app do certificate pinning? Will it error out on an SSL MITM attack?


The odds that some random WiFi was doing SSL MITM attacks to facilitate the type of scam mentioned in the original thread is near zero.

It is much much more likely it was another case of nearly identical domain name that the scammer owned and the person never noticed.


Interesting - e-airbnb.com now redirects to airbnb.com. whois records still list Australian ownership/Russian name servers though.


Naked requests do redirect but clicked links from their phishing emails probably stay on the phishing site.


That's pretty clever.


This kind of thing isn't unique to Airbnb. I believe any online marketplace (eg eBay etc), has similar problems.

My usual approach is to keep as much communication on the platform as possible, including the payment process. Anyone who tries to communicate off the platform (eg send money via another method) immediately warrants more scrutiny.

In this case, there are probably things Airbnb can do to help users and reduce the likelihood - for example I don't see the host's email address until I've paid (via the site).


Keeping the communication on AirBNB doesn't really help. I've had hosts who admitted that they listed a fake address with fake names via AirBNB's messages, but AirBNB doesn't care.


I'm sure they care and do their best to rid these posts, but every single marketplace has this issue -- airbnb is just the hotspot now because they can get big bucks relative to ebay


Payment via Moneygram is the biggest red flag here. If you've ever used craigslist you know they warn you, and there are tons of scams that use Western Union/Moneygram.

If you pay with a credit card through airbnb, you have several layers of protection: you could appeal to airbnb, and you could also dispute/issue a chargeback through your credit card company.


More importantly, never use MoneyGram (or Western Union or cash) for non-face-to-face transactions.


Perhaps Gmail et al could have something a bit more pro-active to detect this kind of bait and switch, so if an address has been used a number of times, then a small variation on that address is seen, then steps are taken to warn the user.


A lot of people have emails on multiple domains that often forward to each other; I feel doing this is going to cause a lot of false positives.


I would prefer mail providers not snooping into my mail, thank you very much.


There's already sophisticated software running that scans your email for spam, I imagine this would be another (complex) rule.


Uh, doesn't AirBnB enforce payment via Credit Card or PayPal?

Sorry to hear your storry though.


Yep, but since the user was in the hands of the enemy and was unaware of that policy, they assumed that Moneygram was a blessed option since the website said it was.

This is a pretty sophisticated fraud attempt. Everything is totally legit until the last possible moment and human nature makes the last bit much less suspicious than it would otherwise be. ("Apropos of nothing, would you wire $4k to an anonymous stranger in a foreign country?")

Many, many, many users will fall for it.


Host usually do not get a person's email address until after they pay on airbnb.com. How did this scammer get the email prior?


Thanks for the heads up. I was actually considering using this service in a month or two when I wanted to go travelling


It's still a great service, and you should still consider it. Just make sure to read up on how it works and always pay through AirBNB directly, not an outside site.


If you pay through Airbnb, I think they are responsible for any such frauds.


I have seen earlier where the pictures did not match the actual site. Otherwise used for NYC and works well


I always check the comments of previous guests and so far every thing was good.


sorry to hear about it.. Thank you for letting us know


Curiosity killed the cat, I just tried "www.e-airbnb.com" and surprisingly it redirects to "www.airbnb.com"

Seems it is not a fraud website, why?


This is frequently implemented to add legitimacy to a domain – you can clearly see how it has been effective on you, and I assume you've got some technical competence!


The whois information looks clearly fishy:https://who.is/whois/e-airbnb.com

Registrar WHOIS Server: whois.publicdomainregistry.com ... Creation Date: 21-Mar-2014 ... Registrant Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org Registrant Street: C/O ID#10760, PO Box 16 Note - Visit PrivacyProtect.org to contact the domain owner/operator Note - Visit PrivacyProtect.org to contact the domain owner/operator


They just fooled you as well. I'd definitely have the main URL redirect to where people thought they should go, then have internal pages contain the fraudulent payment gateway.


Redirecting from one domain to another can be done without being affiliated with the target domain.


So what happened with using some common sense and due diligence? If you're not an adventure seeker choose the host with lots of reviews. If the rate for the property compared with other listings is too good to be true then it's a scam.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: