‘Land Lordz’ service fuels Airbnb scams – Krebs on safety
Scammers who make a living by scamming Airbnb.com customers have a powerful new tool at their disposal: a software-as-a-service offering called “Lord of the landswhich automates the creation and management of fake Airbnb websites and the sending of messages to advertise the fraudulent listings.
The good-for-nothing who created the account below paid $550 per month for a Land Lordz “basic plan” subscription at landlordz[.]site that helps him manage over 500 scam properties and interactions with up to 100 (soon to be scammed) “guests” looking to book the fake listings. Currently, this scammer only has four dozen listings, almost all of which are for properties in and around London UK.
Your typical victim will respond to an ad for an ad provided on Airbnb.com and be assured that they can pay through Airbnb, which offers buyer protection and refunds to unhappy customers. But when the person inquires about the ad, they are sent a link to a site that looks like Airbnb.com but is actually a phishing page.
In the case of these particular scammers, their fake page was “airbnb.longterm-airbnb[.]co[.]UK” (I added parentheses to prevent the link from being clickable). The site looks exactly like the real Airbnb, includes photos of the requested property, and directs visitors to login or create a new account. The fake site simply forwards all requests for that page to Airbnb.com and logs all usernames and passwords submitted through the site.
Here is a look at some of the properties that these scammers are renting out. All names and images on these listings have been removed from other legitimate listings.
The Land Lordz service includes several default positive feedback sets from past fake reviewers that can be used to populate the fake listings. The non-existent house and apartment rentals offered by these scammers are all sold at monthly rates, and the seller’s page states that buyers must pay a first month’s deposit before the date is locked.
The Land Lordz panel allows the scammer to keep track of all messages with potential victims, who are chained and informed that the residence reservation will be lifted unless a cash deposit is made within 72 hours . Here’s one from potential victim Shanon, March 28, 2019, to scammers.
Shanon: My partner wants to see the place before we send money like we did last time and someone ripped us off. I’m not saying you’re not legit because you sent documents with name details etc.
Scam: “Hello, The property is still available for your dates. The price is €250 + €500 security deposit. As a deposit needs to be added, a discount needs to be applied, please follow the airbnb link” (which leads to the fake Airbnb page).
Alex Holdeninformation security manager Hold Security LLC and the researcher who shared screenshots of this fraud panel, said that the scammers seem to advertise their fake ads mainly via Guma free classifieds service in the UK
People who lose money in these scams fail on two counts. First, they don’t notice they’re not on airbnb.com. More importantly, they end up wire money to secure the promise of a fake apartment or house in another country, and the thieves cut off all communications at that point.
Like they did with this poor guy, who paid $1,200 for a piece of paper that promised to hand over the keys to the apartment on a specific date:
This story of 2018 from the travel blog goatsontheroad.com tells the story of a couple who nearly got scammed by a Land Lordz type trap, before the woman finds out they are no longer on airbnb.com.
It’s important to note that these scams can target Airbnb users as well as other services, such as craigslist.com and booking.com. Beware of links in emails from hosts and make sure you’re still on Airbnb or whatever other site you think you’re on.
Airbnb could help by adding a type of strong multi-factor authentication, like Security keys – which would defeat these Airbnb phishing pages. According to 2fa.directoryAirbnb does not currently support any type of multi-factor authentication that users can enable.
Airbnb.com said If the company detects something phishy about logging into your account, they may ask you to enter a security code sent to your phone or email address, or verify some of your account information.
In case anyone wants to follow up on this research, other domains used by these scammers include airbnb.longterm-airbnb[.]co.uk, airbnb.pt-anuncio[.]com, airbnb.request-online[.]comand airbnb invoice[.]com. Some of the bank accounts and payout recipients from scams related to these Advertisement are illustrated here.
Comments are closed.