Phishers are using scam emails that leverage the European Union's General Data Protection Regulation (GDPR) as a theme in an attempt to steal users' information, a security firm found. Researchers at managed threat detection solutions provider RedScan came across one such phishing message that appeared to originate from Airbnb. The scam email, which came from the fake domain "@mail.airbnb.work" as opposed to the legitimate "@airbnb.com," addressed the recipient as an Airbnb host and said they could not accept new bookings or send messages until they agreed to a new Privacy Policy that reflects changes introduced by GDPR. As quoted by ZDNet, the message read as follows:
This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies.
Fake Airbnb privacy email. (Source: Redscan) When clicked, the link redirected recipients to a page that asked them to enter their account credentials, payment card details and other personal information. ZDNet confirmed that Airbnb is sending messages to hosts about GDPR but that it's simply asking them to agree to new Terms of Service. Those real messages did not ask hosts to submit their credentials. As a result, the community-drive hospitality company made clear that users who receive suspicious emails should submit them to its Trust and Safety team. Mark Nicholls, director of cyber security at Redscan, told ZDNet that web users are likely to see other types of attacks leveraging GDPR as a theme in the meantime:
As we get closer to the GDPR implementation deadline, I think we can expect to see a lot a lot more of these types of phishing scams over the next few weeks, that's for sure. In the case of the Airbnb scam email, hackers were attempting to harvest credentials. Attack vectors do vary however and it's possible that other attacks may attempt to infect hosts with keyloggers or ransomware, for example
To protect themselves against these types of attacks, users should familiarize themselves with some of the most common types of phishing attacks and implement steps to prevent a ransomware infection.
UPDATE 02/05/18: Following publication of this story, a public affairs manager for Airbnb reached out to this author with the request that the following statement be shared:
These emails are a brazen attempt at using our trusted brand to try and steal user’s details, and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on [email protected], who will fully investigate. We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites.
The statement went on to assure users that bad actors never had access to their details before sending out the messages. It also recommended that users could confirm the legitimacy of an Airbnb email by checking the sender's email address against this list of official aliases used by the company and by hovering over a URL to see if they would be redirected to a subdomain operated by Airbnb.com.